Impact
A server‑side request forgery flaw exists in the upload endpoint of GitHub Enterprise Server, allowing an unauthenticated attacker to send crafted requests to internal services by exploiting insufficient input validation. By inserting path‑traversal characters into request parameters, an attacker can cause the server to perform internal HTTP requests, bypassing the intended audience and exposing internal services and potentially sensitive credentials. This weakness corresponds to CWE‑918. The vulnerability affected all versions prior to 3.22 and was fixed in 3.17.17, 3.18.11, 3.19.8, 3.20.4, vulnerability was reported via the GitHub Bug Bounty program. The flaw is active for unauthenticated users and therefore allows attackers to reach protected resources without needing valid credentials.
Affected Systems
GitHub Enterprise Server versions prior to 3.22 are affected. The fix was released in 3.17.17, 3.18.11, 3.19.8, 3.20.4, and 3.21.2; any deployment running an older version must be upgraded to a patched release.
Risk and Exploitability
The CVSS score of 9.2 indicates high severity, while the EPSS score of 0.06605 (6.605%) indicates a moderate likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by crafting HTTP requests to the public upload API endpoint, using path‑traversal to direct the server to reach internal URLs. Because authentication is not required, the risk persists for all exposed instances until patched.
OpenCVE Enrichment