GitHub: Authentication bypass on gist.github.com through SSH Certificates

An improper authentication vulnerability was identified in GitHub Enterprise Server that allowed an unauthorized actor to modify other users’ secret gists by authenticating through an SSH certificate authority. To do so, a user had to know the secret gist’s URL. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.9 and was fixed in versions 3.4.18, 3.5.15, 3.6.11, 3.7.8, and 3.8.1. This vulnerability was reported via the GitHub Bug Bounty program.
Github supports SSH certificate authority authentication for Github Enterprise Cloud customers. As part of certificate authority authentication, the certificate contains a extension:[email protected]=username corresponding to which username from the organization to authenticate as.

Due to a missed check in the gist.github.com authentication flow, an attacker could create a certificate giving them access to push to any username’s gists.

Minor correction on the vendor description, it’s not just secret gists that were at risk. An attacker could have pushed changes to a user’s public gists as well.