@Cache-Money discovered that a member or collaborator with administrative permissions to a repository within an organization could elevate their privileges to that of an owner within the organization using GitHub Apps. GitHub allowed repository administrators to install a GitHub App on an organization’s repository for which they had permissions. However, if a GitHub App installed by a repository administrator was configured with organization member management permissions, it could be used to add an owner to the organization or modify existing roles. We addressed the vulnerability by restricting GitHub App installations to organization owners. We also verified this vulnerability had not been exploited. This vulnerability did not affect GitHub Enterprise.
@Cache-Money discovered that repository administrators could change a repository’s visibility settings even after the organization owner had explicitly disabled it with the “Allow members to change repository visibilities for this organization” setting. Although the action appeared to be disallowed in the browser, a missing authorization check on the server allowed malicious administrators to change the visibility setting by making a direct request to the repository visibility endpoint. We addressed this vulnerability by implementing a systematic fix which requires all visibility modifications to pass through a single authorization check rather than individually applying an authorization check on each endpoint.
@Cache-Money discovered that projects residing in organization-owned repositories did not correctly enforce authorization for users added as read-only collaborators. Read-only collaborators should not have write-access to project boards but it was still possible for them to add issues to existing projects even though it was explicitly disabled in the UI. We addressed this issue by adding an authorization check that ensures users only have write-access to a project if they have write-access to the corresponding repository.