Mitigation Strategies

To mitigate this vulnerability, ensure that your GitHub Enterprise Server is updated to one of the fixed versions: 3.14.26, 3.15.21, 3.16.17, 3.17.14, 3.18.8, 3.19.5, or 3.20.1.

Additionally, verify that private mode is enabled to prevent the notebook viewer from following HTTP redirects without revalidating the destination host, which is a key factor in the exploitation of this SSRF vulnerability.

Useful 0 Not Useful 0

Executive Summary

This vulnerability is a server-side request forgery (SSRF) issue in GitHub Enterprise Server. It allows an attacker to extract sensitive environment variables from the server by exploiting a timing side-channel attack against the notebook rendering service.

When private mode is disabled, the notebook viewer follows HTTP redirects without checking the destination host again. This enables an unauthenticated SSRF attack to internal services.

The attacker can combine this with regex filter queries against an internal API and measure response time differences to infer secret values character by character.

Exploitation requires private mode to be disabled and the attacker to chain the instance's open redirect endpoint through an external redirect to reach internal services.

This vulnerability affects all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.14.26, 3.15.21, 3.16.17, 3.17.14, 3.18.8, 3.19.5, and 3.20.1.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to extract sensitive environment variables from your GitHub Enterprise Server instance without authentication.

By exploiting the SSRF and timing side-channel attack, attackers can gain access to secret values that could compromise the security of your internal services and data.

Such exposure could lead to unauthorized access, data leakage, or further attacks within your internal network.

Useful 0 Not Useful 0