Update now! GitHub patches critical vulnerability in Enterprise Server

GitHub has issued a patch for a critical and easy to exploit authentication bypass vulnerability in GitHub Enterprise Server.

Users of GitHub Enterprise Server that use Security Assertion Markup Language (SAML) for single-sign-on (SSO) are under advice to patch a serious new bug as soon as possible. The vulnerability has a CVSS score of 10 out of 10, and requires urgent attention.

SAML makes SSO technology possible by providing a way to authenticate a user once and then communicate that authentication to multiple applications.

In the release notes for the latest updates, GitHub states:

“On instances that use SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, an attacker could forge a SAML response to provision and/or gain access to a user with administrator privileges.”

So, it’s important to note that the urgency is limited to the users of GitHub Enterprise Server that use SAML for SSO with the encrypted assertions feature.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE patched in these updates is CVE-2024-4985, an authentication bypass vulnerability that could allow an attacker to forge a SAML response to provision, or gain access to, a user with site administrator privileges. Exploitation of this vulnerability would allow unauthorized access to the instance without requiring prior authentication. All versions of GitHub Enterprise Server prior to 3.13.0 are affected. The vulnerability was fixed in versions 3.9.15, 3.10.12, 3.11.10 and 3.12.4.

As you can read in the description, anyone with access can gain administrator rights and exploitation is as simple as adding a fake SAML Assertion parameter to a GET request. A Proof of Concept (PoC) for the exploit is available on… wait for it… GitHub.

For users that don’t qualify for this vulnerability because they are not using the encrypted assertions feature or SAML at all, it may pay off to take a look at the known issues for the update before you install it. Which is also true for the users that need to update, but it shouldn’t stop them from doing so.

Release notes:

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in check by using ThreatDown’s Vulnerability Assessment and Patch Management solutions.