CVE-2024-8810
📋 TL;DR
A GitHub App installed in organizations could escalate permissions from read to write access without administrator approval. This vulnerability affects all GitHub Enterprise Server versions prior to 3.14, allowing attackers with administrator access to install malicious apps that gain unauthorized write privileges.
💻 Affected Systems
- GitHub Enterprise Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with administrator access could install a malicious GitHub App that gains write permissions to sensitive repositories, potentially allowing code injection, data exfiltration, or supply chain compromise.
Likely Case
Malicious or compromised administrator accounts could escalate GitHub App permissions to modify repositories, commit malicious code, or access sensitive organizational data.
If Mitigated
With proper administrator access controls and monitoring, the impact is limited to authorized administrators who would need to intentionally exploit the vulnerability.
🎯 Exploit Status
Exploitation requires administrator access to install GitHub Apps, making it accessible only to privileged users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.14.1, 3.13.4, 3.12.9, 3.11.15, or 3.10.17
Vendor Advisory: https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.1
Restart Required: Yes
Instructions:
1. Backup your GitHub Enterprise Server instance. 2. Upgrade to one of the patched versions: 3.14.1, 3.13.4, 3.12.9, 3.11.15, or 3.10.17. 3. Follow GitHub's upgrade documentation for your specific version. 4. Restart the service after upgrade.
🔧 Temporary Workarounds
Restrict GitHub App installations
allTemporarily disable or restrict GitHub App installations for all organizations until patched.
Review administrator access
allAudit and reduce the number of administrator accounts to minimize attack surface.
🧯 If You Can't Patch
- Implement strict monitoring of GitHub App installations and permission changes
- Enforce multi-factor authentication for all administrator accounts
🔍 How to Verify
Check if Vulnerable:
Check your GitHub Enterprise Server version via the Management Console or SSH. If version is below 3.14 and not one of the patched versions (3.14.1, 3.13.4, 3.12.9, 3.11.15, 3.10.17), you are vulnerable.Check Version:
ssh admin@your-ghes-instance 'ghes-version' or check Management Console dashboardVerify Fix Applied:
After upgrading, verify the version shows as 3.14.1, 3.13.4, 3.12.9, 3.11.15, or 3.10.17. Test GitHub App installation and permission escalation is no longer possible.📡 Detection & Monitoring
Log Indicators:
- Unexpected GitHub App permission changes from read to write
- GitHub App installations by administrators
- Permission escalation events in audit logs
Network Indicators:
- API calls to modify GitHub App permissions without proper authorization
SIEM Query:
source="github_audit_log" AND (event="app_permission_change" OR event="app_install") AND permission_change="read_to_write"🔗 References
- https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.17
- https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.15
- https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.9
- https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.4
- https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.1
