Security 5086 update release notes (#29483)

Co-authored-by: Sara <SaraClements@users.noreply.github.com> Co-authored-by: Vanessa <vgrl@github.com>
2022-07-31 18:43:05 -04:00 · 2022-07-31 18:43:05 -04:00 · 12bcf59e94
--- a/data/release-notes/enterprise-server/3-3/11.yml
+++ b/data/release-notes/enterprise-server/3-3/11.yml
@ -4,7 +4,10 @@ sections:
    - "**MEDIUM**: Prevents an attack where a server-side request forgery (SSRF) could potentially force the Subversion (SVN) bridge to execute remote code by injecting arbitrary data into Memcached." 
    - "**MEDIUM**: Prevents an attacker from executing Javascript code by exploiting a cross-site scripting (XSS) vulnerability in dropdown UI elements within the GitHub Enterprise Server web interface." 
    - Updates Grafana to version 7.5.16, which addresses various security vulnerabilities including [CVE-2020-13379](https://github.com/advisories/GHSA-wc9w-wvq2-ffm9) and [CVE-2022-21702](https://github.com/grafana/grafana/security/advisories/GHSA-xc3p-28hw-q24g). 
-    - Packages have been updated to the latest security versions. 
+    - Packages have been updated to the latest security versions.
+    - "**MEDIUM**: A stored XSS vulnerability was identified in GitHub Enterprise Server that allowed the injection of arbitrary attributes. This injection was blocked by Github's Content Security Policy (CSP). This vulnerability was reported via the GitHub Bug Bounty program and has been assigned [CVE-2022-23733](https://www.cve.org/CVERecord?id=CVE-2022-23733). [Updated: 2022-07-31]"
+
+
  bugs:
    - Fixed an issue where the files inside the artifact zip archives had permissions of 000 when unpacked using an unzip tool. Now the files will have the permissions set to 644, the same way as it works in GitHub.com. 
    - In some cases, the collectd daemon could consume excess memory. 
--- a/data/release-notes/enterprise-server/3-4/6.yml
+++ b/data/release-notes/enterprise-server/3-4/6.yml
@ -4,7 +4,8 @@ sections:
    - "**MEDIUM**: Prevents an attack where a server-side request forgery (SSRF) could potentially force the Subversion (SVN) bridge to execute remote code by injecting arbitrary data into Memcached." 
    - "**MEDIUM**: Prevents an attacker from executing Javascript code by exploiting a cross-site scripting (XSS) vulnerability in dropdown UI elements within the GitHub Enterprise Server web interface." 
    - Updates Grafana to version 7.5.16, which addresses various security vulnerabilities including [CVE-2020-13379](https://github.com/advisories/GHSA-wc9w-wvq2-ffm9) and [CVE-2022-21702](https://github.com/grafana/grafana/security/advisories/GHSA-xc3p-28hw-q24g). 
-    - Packages have been updated to the latest security versions. 
+    - Packages have been updated to the latest security versions.
+    - "**MEDIUM**: A stored XSS vulnerability was identified in GitHub Enterprise Server that allowed the injection of arbitrary attributes. This injection was blocked by Github's Content Security Policy (CSP). This vulnerability was reported via the GitHub Bug Bounty program and has been assigned [CVE-2022-23733](https://www.cve.org/CVERecord?id=CVE-2022-23733).  [Updated: 2022-07-31]"
  bugs:
    - In some cases, the collectd daemon could consume excess memory. 
    - In some cases, backups of rotated log files could accumulate and consume excess storage. 
--- a/data/release-notes/enterprise-server/3-5/3.yml
+++ b/data/release-notes/enterprise-server/3-5/3.yml
@ -5,6 +5,8 @@ sections:
    - "**MEDIUM**: Prevents an attacker from executing Javascript code by exploiting a cross-site scripting (XSS) vulnerability in dropdown UI elements within the GitHub Enterprise Server web interface."
    - Updates Grafana to version 7.5.16, which addresses various security vulnerabilities including [CVE-2020-13379](https://github.com/advisories/GHSA-wc9w-wvq2-ffm9) and [CVE-2022-21702](https://github.com/grafana/grafana/security/advisories/GHSA-xc3p-28hw-q24g).  
    - Packages have been updated to the latest security versions. 
+    - "**MEDIUM**: A stored XSS vulnerability was identified in GitHub Enterprise Server that allowed the injection of arbitrary attributes. This injection was blocked by Github's Content Security Policy (CSP). This vulnerability was reported via the GitHub Bug Bounty program and has been assigned [CVE-2022-23733](https://www.cve.org/CVERecord?id=CVE-2022-23733).  [Updated: 2022-07-31]"
+    
  bugs:
    - In some cases, the collectd daemon could consume excess memory. 
    - In some cases, backups of rotated log files could accumulate and consume excess storage.