CVE-2022-1808 Execution with Unnecessary Privileges in GitHub repository polonel/trudesk prior to 1.2.3.

CVE-2022-1808 Execution with Unnecessary Privileges in GitHub repository polonel/trudesk prior to 1.2.3.

GitHub doesn’t allow revoke rights to an organization, so it’s important to be careful who is granted access to your repos. You should only grant access to people who need to be given access.

Never allow someone to add or remove files from a repository who doesn’t need that level of access. This can lead to all kinds of problems, and GitHub will warn you if you do it.

GitHub allows you to grant your team members and/or specific individuals “Writable” repo permissions. This is a very dangerous thing to do, as anyone with this level of access can mess with your code.

Don’t give anyone write access unless you have to

It’s important to be careful who is granted access to your repos. You should only grant access to people who need to be given access.

Never allow someone to add or remove files from a repository who doesn’t need that level of access. This can lead to all kinds of problems, and GitHub will warn you if you do it.

GitHub allows you to grant your team members and/or specific individuals “Writable” repo permissions. This is a very dangerous thing to do, as anyone with this level of access can mess with your code.

Check if your repo is writable

You can check who has access to your repositories on the repo level. If you see that someone is not a member of your team or they have been given “Write” permissions, you should revoke their access immediately.

If all else fails, write a post on why you're giving contributors access to a repository and what the purpose of that project is. This helps communicate why it's important for them to have access and how they will be able to contribute, so people know what's going on.

Don’t grant “Writable” repo permissions

If you’re the only person with repo permissions, you should be careful not to grant “Writable” permissions. This can lead to all kinds of problems and GitHub will warn you if you do it.
Never give someone else repo access without asking for your manager/CEO’s permission before doing so.

Don’t grant writable access to anyone

If you want to increase the security of your repositories, you should never grant writable access to anyone. Doing so makes it easy for people with permissions to mess with your code or push out bad commits.

What is “Writable” Repo permission?

Writeable permissions are a powerful feature in GitHub. It allows you to grant your team members and/or specific individuals “Writable” repo permissions. This is a very dangerous thing to do, as anyone with this level of access can mess with your code.

GitHub also has an Access Control List (ACL) which allows you to limit who can view your repositories and what they can edit. For example, you could set up the ACL so that only people from your company have the ability to write or delete files in repositories, and you can also set up access so that only certain users within the company have their own repositories.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe