close
close

GitHub fixes maximum severity vulnerability in Enterprise Server

Posted on by darion

GitHub has released an update to fix a critical vulnerability in GitHub Enterprise Server (GHES) with a maximum CVSS score of 10.

The Microsoft-owned development platform clarified this week that CVE-2024-4985 was discovered as part of the GitHub Bug Bounty program.

It is described as an authentication bypass vulnerability that could allow unauthorized access to the target instance without prior authentication. Affects all versions of GHES prior to 3.13.0

However, the configuration of GHES will determine whether it is vulnerable to potential exploitation, as it only affects those that use optional encrypted assertions and SAML single sign-on, GitHub explained.

“On instances using SAML SSO authentication with the optional encrypted assertion feature, an attacker could spoof the SAML response to share and/or gain access to a user with root privileges,” it noted.

“Please note that encrypted confirmations are not enabled by default. This does not affect instances that do not use SAML single sign-on or do not use SAML single sign-on authentication without encrypted confirmations. Exploitation of this vulnerability would allow unauthorized access to the instance without prior authentication.”

Read more about GitHub threats: Millions face the risk of RepoJacking in GitHub repositories

GHES is a popular self-hosted platform that enables organizations to build and deliver their own software using Git version control, APIs, productivity and collaboration tools, and third-party integrations.

Hackuity’s vice president of strategy, Sylvain Cortes, warned that a CVSS score of 10 means users are at an “incredibly high risk” of network breaches by attackers.

“We know patching continues to be a challenge for many organizations, but this latest vulnerability is another great example of why security teams need to stay on top of the most widespread issues across their network,” he added.

“GitHub has issued an urgent patch for a reason – Enterprise Server users should prioritize deploying this and any other critical vulnerability patches before it’s too late.”

The bug has been fixed in GHES versions 3.9.15, 3.10.12, 3.11.10 and 3.12.4.