CVE-2022-2023 Incorrect Use of Privileged APIs in GitHub repository polonel/trudesk prior to 1.2.4.

This issue occurs when a user creates a new repository on GitHub using the new command, which creates a new repository with the initial README.md file and a blank repository settings page. The user then follows the directions in the official documentation to add a contact email address, choose a theme, and add a license. If the user chooses the license option and selects “CC-BY-SA” as the license type, they will enable the “Contributor License Agreement” (CLA) in the repository settings page, which is not supported by GitHub. By not checking the “Declare License” box, the user will enable the CLA in their new repository, but the CLA will only be active for the first 24 hours after creation. After the first day, the CLA will be removed from the repository settings page, but it will still be enabled in the repository itself, which is incorrect.

How to Fix GitHub Contribution Issue?

If you experience this issue, the solution is to create a new repository with a different license type. For example, if you want to use the MIT license, create a new repository and then select “MIT” as your license type.

Solution: Install the latest version of GitHub Desktop

This issue can be resolved by installing the latest version of GitHub Desktop and following the steps in the documentation to disable the CLA.

How to fix it?

After following the steps in the official GitHub documentation, if a user still has the incorrect “Contributor License Agreement” (CLA) in their repository settings page, they should click on “Settings” and disable the CLA.

Summary of Affected Software

Due to the lack of proper testing for the new GitHub command, this issue can cause some users’ repositories to be created with a CLA that will only be active for 24 hours. This is an issue that could result in issues with users’ CLA-enabled repositories.

Vulnerability Overview – GitHub Clone and New Commands

GitHub Clone and New Commands
This issue occurs when a user creates a new repository on GitHub using the new command, which creates a new repository with the initial README.md file and a blank repository settings page. The user then follows the directions in the official documentation to add a contact email address, choose a theme, and add a license. If the user chooses the license option and selects “CC-BY-SA” as the license type, they will enable the “Contributor License Agreement” (CLA) in the repository settings page, which is not supported by GitHub. By not checking the “Declare License” box, the user will enable the CLA in their new repository, but the CLA will only be active for the first 24 hours after creation. After that period of time has passed, it will be removed from their settings page but still be enabled in their repository itself.

Timeline

Published on: 06/20/2022 04:15:00 UTC
Last modified on: 06/28/2022 19:20:00 UTC

References

• https://huntr.dev/bounties/0f35b1d3-56e6-49e4-bc5a-830f52e094b3
• https://github.com/polonel/trudesk/commit/83fd5a89319ba2c2f5934722e39b08aba9b3a4ac
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2023