Overview
- Wiz released technical details Tuesday, reporting that roughly 88% of reachable GitHub Enterprise Server instances were still unpatched at disclosure.
- GitHub validated the report on March 4 and deployed a fix to GitHub.com within two hours, then said telemetry showed only Wiz’s tests and no customer data access.
- The flaw trusted user push options inside an internal header that used semicolons, which let attackers inject fields the server treated as trusted settings.
- On GitHub Enterprise Server the bug allowed full server takeover by any authenticated pusher, while on GitHub.com it enabled code execution on shared storage nodes that exposed millions of repositories.
- GitHub urged Enterprise admins to upgrade to 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.8, 3.19.4, or 3.20.0 and later, then review /var/log/github-audit.log for pushes with unusual option characters such as semicolons.