Skip to content

Github patches critical flaw in enterprise server

  • by
  • 2 min read

GitHub has issued security updates for a critical vulnerability in its Enterprise Server (GHES) that is causing multiple issues. The vulnerability, tracked as CVE-2024-9487, has a CVSS rating of 9.5 out of 10. If exploited, it allows a hacker to bypass SAML single-sign-on (SSO) authentication, giving full access to the targeted instance.

The platform claimed in its update release notes covering the issue that “an attacker could bypass SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, allowing unauthorized provisioning of users and access to the instance, by exploiting an improper verification of cryptographic signatures vulnerability in GitHub Enterprise Server.”

The issue was caused when the platform was patching another, more severe vulnerability dubbed CVE-2024-4985 (rated 10 on the CVSS scale) in May 2024. The update also fixes issues caused by CVS-2024-9539, a vulnerability with a CVSS rating of 5.7 that allows an attacker to fetch metadata belonging to a victim user after clicking malicious URLs for SVG assets. Another bug that exposes sensitive data in HTLP forms in the management console was also patched, although this one hasn’t been assigned a CVE ID yet.

Fifteen other bugs were also addressed in the update. These are quality-of-life and user accessibility improvements that fix bugs you might encounter in day-to-day usage, not security vulnerabilities. There have been changes to the audit log, the ghe-remove-node command’s behaviour, and the clone3() system call as well. That said, the update isn’t without issues either, and version 3.14.2 lists 15 known issues at the time of writing that can be found in the release notes.

GHES versions 3.14.2, 3.13.5, 3.12.10, and 3.11.16 have been patched against the three issues. Organisations running versions older than the patched ones or an otherwise vulnerable installation are avised to update to the latest versions for better safety.

In the News: EU’s upcoming AI regulations dampens AI industry’s mood

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>