A critical vulnerability in GitHub Enterprise Server could allow authentication bypass. Fix it now

GitHub has rolled out patches to address an authentication bypass vulnerability that affects GitHub Enterprise Server (GHES) when using SAML single sign-on (SSO) authentication with the optional encrypted confirmation feature.

For those who don’t know, GHES is a self-hosted software development platform for organizations that allows you to build and deliver software using Git version control, powerful APIs, productivity and collaboration tools, and integrations.

An authentication bypass vulnerability identified as CVE-2024-4985 (CVSS v4 score: 10.0) allowed an attacker to spoof a Security Assertion Markup Language (SAML) response to expose and/or gain access to a user with site administrator privileges, offering unauthorized access to the entire content of the instance without the need for prior authentication.

Because encrypted assertions are not enabled by default in GHES, GitHub states that the vulnerability does not affect instances that do not use SAML SSO or those that use SAML SSO authentication without encrypted assertions.

If exploited, this vulnerability would allow unauthorized access to instances without prior authentication, allowing an attacker to spoof the identity of any user, including administrators, and gain access to their private repositories and data.

CVE-2024-4985, which affected all versions of GitHub Enterprise Server before 3.13.0, was reported via the GitHub Bug Bounty program.

However, the bug was fixed in versions 3.9.15, 3.10.12, 3.11.10 and 3.12.4, which were released on May 20.

GitHub has published a security advisory that lists known issues related to the update. While CVE-2024-4985 is not exploited in the wild, all vulnerable GitHub Enterprise Server instances should be immediately updated to patched versions (3.9.15, 3.10.12, 3.11.10, and 3.12.4 or later). to protect against potential safety hazards arising from future use.