Unauthorized Access to Private Repository NWO via Deploy Key in Internal LFS API
Posted: Fri Nov 01, 2024 4:28 am
This vulnerability allows unauthorized viewing of private repository details, including the NWO (Namespace With Owner), through improper access in the internal LFS API. Exploiting this flaw could expose sensitive data tied to repository deployment keys, compromising repository security.
https://hackerone.com/reports/2469713
https://hackerone.com/reports/2469713