A huge collection of 3400+ free website templates JAR theme com WP themes and more at the biggest community-driven free web design site
Home / security-advisories / Critical Authentication Bypass Vulnerability in The GitHub Enterprise Server (CVE-2024-4985)

Critical Authentication Bypass Vulnerability in The GitHub Enterprise Server (CVE-2024-4985)

Advisory No: TZCERT/SA/2024/05/23

Date of First Release: 23rd May 2024

Source: GitHub

Software Affected: GitHub Enterprise Server (GHES) prior to Version 3.13.0


GitHub Enterprise Servers (GHES) prior to version 3.13.0 is affected by a critical authentication bypass vulnerability. The vulnerability allows an unauthorized access to the instance without requiring prior authentication.


An authentication bypass vulnerability, identified as CVE-2024-4985, was discovered in GitHub Enterprise Server (GHES) when using SAML single sign-on (SSO) authentication with the optional encrypted assertions feature. This vulnerability allows an attacker to forge a SAML response, which can then be used to provision and gain access to a user account with site administrator privileges. This critical flaw could enable attackers to bypass authentication mechanisms and gain unauthorized access to the GHES instance without needing prior authentication. A vulnerability has a CVSS Score of 10.0 and treated as critical.


Successful exploitation of this vulnerability allows an attacker to gain unauthorizes access to the GHES instance, hence it may extend to exposure of sensitive data, operation disruption and/or further exploitation since an attacker could modify, delete or inject malicious code into repository.


GitHub has released security patches for this vulnerability. Users and administrators are encouraged to apply necessary updates.


  1. https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.4-security-fixes
  2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4985
  3. https://www.tenable.com/cve/CVE-2024-4985

Check Also

High severity vulnerabilities in HPE ProLiant and HPE Edgeline Servers Using BIOS (PixieFail) (CVE-2023-45229, CVE-2023-45230, CVE-2023-45234, CVE-2023-45235, CVE-2021-38575)

Advisory No: TZCERT/SA/2024/05/31-2 Date of First Release: 31st May 2024 Source: Hewlett-Packard (HP) Software Affected: …