CVE-2024-5816
📋 TL;DR
A suspended GitHub App could retain unauthorized access to public repositories via scoped user access tokens in GitHub Enterprise Server. This incorrect authorization vulnerability affects all GitHub Enterprise Server versions prior to 3.14, but only impacts public repositories - private repositories remain secure.
💻 Affected Systems
- GitHub Enterprise Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
A malicious actor could maintain persistent access to sensitive data in public repositories even after their GitHub App has been suspended, potentially leading to data exfiltration or unauthorized modifications.
Likely Case
Accidental retention of access by legitimate but suspended GitHub Apps, potentially violating security policies and compliance requirements for public repository access control.
If Mitigated
Limited to public repositories only, with no impact on private repositories, reducing overall exposure.
🎯 Exploit Status
Requires a previously authorized GitHub App that has been suspended but retains scoped user access tokens.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.9.17, 3.10.14, 3.11.12, 3.12.6, 3.13.1, or 3.14+
Vendor Advisory: https://docs.github.com/en/enterprise-server@3.10/admin/release-notes
Restart Required: Yes
Instructions:
1. Backup your GitHub Enterprise Server instance. 2. Upgrade to one of the patched versions: 3.9.17, 3.10.14, 3.11.12, 3.12.6, 3.13.1, or 3.14+. 3. Follow GitHub's standard upgrade procedures for your deployment method. 4. Verify the upgrade completed successfully.
🔧 Temporary Workarounds
Convert public repositories to private
allTemporarily convert vulnerable public repositories to private to prevent exploitation while planning upgrade.
Revoke all GitHub App tokens
allManually revoke access tokens for suspended GitHub Apps to prevent unauthorized access.
🧯 If You Can't Patch
- Monitor all GitHub App activity in public repositories for unauthorized access attempts
- Implement strict review processes for GitHub App installations and regularly audit active tokens
🔍 How to Verify
Check if Vulnerable:
Check your GitHub Enterprise Server version via the Management Console or SSH into the appliance and run 'ghe-version'Check Version:
ssh admin@your-ghe-instance 'ghe-version'Verify Fix Applied:
Verify version is 3.9.17, 3.10.14, 3.11.12, 3.12.6, 3.13.1, or 3.14+ using 'ghe-version' command📡 Detection & Monitoring
Log Indicators:
- Unauthorized API calls from suspended GitHub Apps
- Access patterns from apps that should be disabled
Network Indicators:
- API requests to public repositories from unexpected sources
SIEM Query:
source="github-enterprise" (app_status="suspended" AND action="api_call")🔗 References
- https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.15
- https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.9.17
- https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.12
- https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.6
- https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.1
- https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.17
- https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.15
- https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.9.17
- https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.12
- https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.6
- https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.1
- https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.17
