Skip to content

GitHub Enterprise Server Vulnerabilities Response: patches released

Enterprise Server/Unified SKU Customers:

Due to the critical nature of the vulnerabilities identified in Rails, we strongly urge customers immediately upgrade their GitHub Enterprise Server appliance to the latest patch release in their series, GitHub Enterprise Server 2.13.22, 2.14.16, 2.15.9, 2.16.4, or greater.

If you have any questions, please contact GitHub support at https://enterprise.github.com/support.

The full release notes are available at:

https://enterprise.github.com/releases/2.16.4/notes https://enterprise.github.com/releases/2.15.9/notes

https://enterprise.github.com/releases/2.14.16/notes https://enterprise.github.com/releases/2.13.22/notes

Common Vulnerability and Exposure (CVE) references have been issued for the vulnerabilities:

  • CRITICAL: A specially crafted request could allow arbitrary files to be read and the file content to be disclosed. For more information see the associated Rails CVE: CVE-2019-5418
  • HIGH: High CPU usage could be triggered by a specially crafted request resulting in Denial of Service (DoS). For more information see the associated Rails CVE: CVE-2019-5419

GitHub Enterprise Cloud (“github.com”) vulnerabilities response: patched and not vulnerable

GitHub.com and supporting services are not vulnerable. Patches and mitigations were applied as necessary ahead of the public vulnerability disclosure. Standard incident response procedures were enacted to ensure no earlier attempts were made to exploit the vulnerabilities.

Common Vulnerability and Exposure (CVE) references have been issued for the vulnerabilities:

  • CRITICAL: A specially crafted request could allow arbitrary files to be read and the file content to be disclosed. For more information, see the associated Rails CVE: CVE-2019-5418
  • HIGH: High CPU usage could be triggered by a specially crafted request resulting in Denial of Service (DoS). For more information see the associated Rails CVE: CVE-2019-5419
See more

Deep link to pull request file filter

Pull request file filter selections are reflected in URLs, and files are collapsed/expanded instead of shown/hidden.

Learn more about filtering files in a pull request by file type

See more
View all changes