A huge collection of 3400+ free website templates JAR theme com WP themes and more at the biggest community-driven free web design site
Home / security-advisories / Critical Authentication Bypass Vulnerability in The GitHub Enterprise Server (CVE-2024-4985)

Critical Authentication Bypass Vulnerability in The GitHub Enterprise Server (CVE-2024-4985)

Advisory No: TZCERT/SA/2024/05/23

Date of First Release: 23rd May 2024

Source: GitHub

Software Affected: GitHub Enterprise Server (GHES) prior to Version 3.13.0

Overview:

GitHub Enterprise Servers (GHES) prior to version 3.13.0 is affected by a critical authentication bypass vulnerability. The vulnerability allows an unauthorized access to the instance without requiring prior authentication.

Description:

An authentication bypass vulnerability, identified as CVE-2024-4985, was discovered in GitHub Enterprise Server (GHES) when using SAML single sign-on (SSO) authentication with the optional encrypted assertions feature. This vulnerability allows an attacker to forge a SAML response, which can then be used to provision and gain access to a user account with site administrator privileges. This critical flaw could enable attackers to bypass authentication mechanisms and gain unauthorized access to the GHES instance without needing prior authentication. A vulnerability has a CVSS Score of 10.0 and treated as critical.

Impact:

Successful exploitation of this vulnerability allows an attacker to gain unauthorizes access to the GHES instance, hence it may extend to exposure of sensitive data, operation disruption and/or further exploitation since an attacker could modify, delete or inject malicious code into repository.

Solution:

GitHub has released security patches for this vulnerability. Users and administrators are encouraged to apply necessary updates.

References:

  1. https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.4-security-fixes
  2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4985
  3. https://www.tenable.com/cve/CVE-2024-4985

Check Also

High severity vulnerabilities in HPE ProLiant and HPE Edgeline Servers Using BIOS (PixieFail) (CVE-2023-45229, CVE-2023-45230, CVE-2023-45234, CVE-2023-45235, CVE-2021-38575)

Advisory No: TZCERT/SA/2024/05/31-2 Date of First Release: 31st May 2024 Source: Hewlett-Packard (HP) Software Affected: …