OneUptime GitHub App Callback Vulnerability Allows Unauthorized Project Binding

A vulnerability exists in OneUptime's GitHub App integration prior to version 10.0.19. The issue arises because the GitHub App callback improperly trusts state and installation_id values controlled by attackers. This flaw enables an attacker to overwrite the GitHub App installation binding of another project by updating the Project.gitHubAppInstallationId with isRoot: true, without verifying if the caller is authorized for the target project. Additionally, related GitHub endpoints lack proper authorization, allowing a valid installation ID to be used for repository enumeration and the creation of CodeRepository records in any project.

Impact

Exploitation of this vulnerability leads to unauthorized modifications of the Project.gitHubAppInstallationId, causing temporary disruptions in GitHub integration. It also allows for cross-project bindings of GitHub App installations controlled by the attacker, unauthorized access to repository metadata for the supplied installation ID, and the creation of CodeRepository records in arbitrary projects.

Reproduction

To reproduce this vulnerability, send a request to the GitHub App callback endpoint with an attacker-controlled state that includes a valid project ID and a fake installation ID. The server will respond with a redirect to the project's code repository dashboard, and the GitHub App installation ID for the target project will be overwritten with the one provided in the request.

Remediation

Users should update to OneUptime version 10.0.19 or later.