Business users need to update their systems with the latest GitHub Enterprise Server release, as the service patched a serious auth bypass vulnerability and addressed some other security flaws.
A GitHub Enterprise Server Vulnerability Could Allow Admin Privileges To An Attacker
According to the recent updates to the GitHub release notes, the service addressed a critical vulnerability in the GitHub Enterprise Server.
GitHub Enterprise Server (GHES) is a self-hosted version of GitHub aimed at facilitating business users. Organizations may opt for Enterprise Server deployments for streamlined functioning, adequate regulatory compliance, and more control over access and security features.
GitHub described the critical vulnerability as an authentication bypass issue. Identified as CVE-2024-6800, this vulnerability received a CVSS score of 9.5. It existed due to an XML signature wrapping issue with GHES instances using SAML single sign-on (SSO) authentication with specific identity providers (IdPs) using publicly exposed signed federation metadata XML.
Exploiting the flaw could allow an unauthorized attacker with direct network access to GHES to forge a SAML response. This, in turn, would let the adversary gain elevated privileges, such as site administrator, without authentication.
This vulnerability caught GitHub’s attention following a bug report submitted via its Bug Bounty Program. It affected all GHES versions before the Release candidate (RC) build 3.14.
Following the report, the service patched the vulnerability with GHES stable versions 3.13.3, 3.12.8, 3.11.14, and 3.10.16.
Besides this critical vulnerability, GitHub also fixed two medium-severity security flaws (described below). These vulnerabilities also caught GitHub’s attention through bug reports submitted to its bug bounty program.
- CVE-2024-7711 (CVSS 5.3): An incorrect authorization flaw allowing an adversary to update the title, assignee, and labels of any issue in public repositories.
- CVE-2024-6337 (CVSS 5.9): Another incorrect authorization vulnerability that exposed issue content from private repositories using a GitHub App with only
contents: readandpull requests: writepermissions. An attacker could use the access token to exploit the flaw and read the issue contents.
Since the patches have been released for multiple GHES versions, users must update their systems accordingly to receive the fixes.
Let us know your thoughts in the comments.