• Posted by: Eng. Donya Bino
• October 16, 2024

GitHub Enterprise Server Security Update Fixes Critical SSO Vulnerability

GitHub has rolled out security updates for GitHub Enterprise Server (GHES) to resolve multiple issues, including a critical vulnerability that could allow unauthorized access to a GHES instance.

The critical vulnerability, identified as CVE-2024-9487, has been assigned a CVSS score of 9.5 out of 10.0. According to GitHub, "an attacker could bypass SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, enabling unauthorized provisioning of users and access to the instance." This flaw stems from improper cryptographic signature verification in the platform.

The issue is described as a regression that emerged from a previous remediation of CVE-2024-4985, which carried a CVSS score of 10.0 and was patched back in May 2024.

Alongside the critical bug, GitHub also addressed two other vulnerabilities:

1. CVE-2024-9539 (CVSS score: 5.7) – An information disclosure vulnerability that could allow an attacker to retrieve metadata from a victim user by exploiting malicious URLs linked to SVG assets.
2. A sensitive data exposure issue in HTML forms located in the GHES management console (no CVE assigned).

All of these vulnerabilities have been patched in the following versions of GitHub Enterprise Server: 3.14.2, 3.13.5, 3.12.10, and 3.11.16.

Additionally, in August 2024, GitHub patched another critical security defect (CVE-2024-6800), with a CVSS score of 9.5, which could have been used to gain site administrator privileges on vulnerable instances.

Organizations running a self-hosted version of GitHub Enterprise Server are strongly urged to update to the latest version to protect against these security threats.