CVE-2024-8810: 
GitHub Enterprise Server vulnerability analysis and mitigation

A GitHub App installed in organizations could upgrade some permissions from read to write access without approval from an organization administrator. This vulnerability (CVE-2024-8810) affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.14.1, 3.13.4, 3.12.9, 3.11.15, and 3.10.17. An attacker would require an account with administrator access to install a malicious GitHub App. The vulnerability was reported through the GitHub Bug Bounty program (GitHub NVD).

The vulnerability has been assigned a CVSS 4.0 Base Score of 8.7 (HIGH) with the following vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/AU:N/R:U/V:C/RE:L/U:Amber. The vulnerability is classified as CWE-269 (Improper Privilege Management) (GitHub NVD).

The vulnerability allows malicious GitHub Apps to escalate their permissions from read to write access without requiring organization administrator approval, potentially leading to unauthorized access and modifications to organization resources (GitHub NVD).

Organizations should upgrade to the fixed versions: GitHub Enterprise Server 3.14.1, 3.13.4, 3.12.9, 3.11.15, or 3.10.17. These patches address the permission escalation vulnerability (GitHub Release Notes).