GitHub has rolled out fixes to address an authentication bypass vulnerability that affects the GitHub Enterprise Server (GHES) when utilizing SAML single sign-on (SSO) authentication with the optional encrypted assertions feature.
For those unaware, GHES is a self-hosted platform for software development for organizations to build and ship software using Git version control, powerful APIs, productivity and collaboration tools, and integrations.
The authentication bypass vulnerability tracked as CVE-2024-4985 (CVSS v4 score: 10.0) allowed an attacker to forge a SAML (Security Assertion Markup Language) response to provision and/or gain access to a user with site administrator privileges, offering unauthorized access to all of the instance’s contents without requiring prior authentication.
Since encrypted assertions are not enabled by default on GHES, GitHub states that the vulnerability does not affect instances not utilizing SAML SSO or those who use SAML SSO authentication without encrypted assertions.
If exploited, this vulnerability would allow unauthorized access to the instance without requiring prior authentication, enabling the attacker to deceive any user’s identity, including admins, and access their private repositories and data.
The CVE-2024-4985 vulnerability, which affected all versions of the GitHub Enterprise Server prior to 3.13.0, was reported via the GitHub Bug Bounty program.
However, the flaw was fixed in versions 3.9.15, 3.10.12, 3.11.10, and 3.12.4, which were released on May 20th.
GitHub has published a security advisory that mentions the update’s known issues. While the CVE-2024-4985 flaw is not being exploited in the wild, all vulnerable GitHub Enterprise Server instances should be upgraded to a patched version (3.9.15, 3.10.12, 3.11.10, and 3.12.4 or newer) immediately to protect against potential security threats from future exploitation.
