5,000 pts
@patte reported an issue that could have allowed an attacker to create arbitrary repositories on organizations that they did not own via a GitHub App. An attacker would have also inherited read and write permissions on the repositories they created. This issue stemmed from insufficient authorization checking in the create repository endpoint when an actor was authenticated as a GitHub App. We audited all the repositories created through this vulnerability and confirmed that the user who created the GitHub App and triggered the vulnerability was always an owner of the affected organization. Even though the GitHub App should not have had access to create repositories in these organizations, we did not find any malicious exploitation of this bug. We have reviewed other authorization logic for GitHub App actions to ensure we prevent this type of authorization flaw in the future.
