Skip to content

Commit 48825da

Browse files
shilpakumshilpakum
authored
Update security vulnerability description in release notes (#57286)
1 parent 58a8bfe commit 48825da

File tree

1 file changed

+1
-1
lines changed
  • data/release-notes/enterprise-server/3-17

1 file changed

+1
-1
lines changed

data/release-notes/enterprise-server/3-17/5.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ intro: |
88
sections:
99
security_fixes:
1010
- |
11-
**HIGH:** An improper access control vulnerability was identified that allowed authenticated users to obtain code content from private repositories they did not have permission to access. If a user knew the names of a private repository and its branches, tags, or commit SHAs, they could use the compare/diff functionality to retrieve code from those repositories without authorization. Exploiting this vulnerability also required the attacker to have legitimate access to another repository within the same fork network. This vulnerability has been assigned [CVE-2025-8447](https://www.cve.org/cverecord?id=CVE-2025-8447) and was reported through the [GitHub Bug Bounty program](https://bounty.github.com/).
11+
**HIGH:** An improper access control vulnerability was identified in GitHub Enterprise Server that allowed users with access to any repository to retrieve limited code content from another repository by creating a diff between the repositories. To exploit this vulnerability, an attacker needed to know the name of a private repository along with its branches, tags, or commit SHAs that they could use to trigger compare/diff functionality and retrieve limited code without proper authorization. This vulnerability has been assigned [CVE-2025-8447](https://www.cve.org/cverecord?id=CVE-2025-8447) and was reported through the [GitHub Bug Bounty program](https://bounty.github.com/).
1212
- |
1313
**LOW:** In repositories where delegated alert dismissal was enabled, requests to resolve a secret scanning alert using the REST API were accepted when the actor had insufficient permission. The endpoint checked to see if the actor had permission to resolve secret scanning alerts but failed to verify that the actor was also a valid reviewer. This could allow an actor to bypass the review process. The endpoint was updated to use the same logic as the UI.
1414
- |

0 commit comments

Comments
 (0)