:::: MENU ::::

Upcoming Github Enterprise Vulnerability Disclosure

Earlier today I discovered that, due to a vulnerability with Github Enterprise, I still had access to resources at my former company that I really shouldn’t have. After reporting it to those guys so they could lock it down on their end, I reached out to Github themselves so they could repair it on their end and push out a fix to their own customers.

Their response was that they didn’t care. I received a form letter stating that they were “aware of this and similar issues”, and that they’d be working on improving it in the future.

Sometime this weekend I am going to be writing a blog post describing how former employers of a company can access the repositories and data inside Github Enterprise installations, because apparently Github as a company gives no fucks and it’s public disclosure time.

If anyone knows anyone at Github who might actually take this seriously please feel free to send them my way. I would much rather do this the proper way if possible.


2 Comments

  • Reply Nav |

    Hi Robert. I’m considering purchasing GitHub enterprise and was surprised to see your post. Could you elaborate on what exactly the issue was and whether it has been solved by GitHub? I see it has been more than a year that you have posted this.

    • Reply tedivm |

      The problem was related to how they authenticate ldap users. They have since cleaned up that code and improved things quite a bit.

Leave a Reply