A critical vulnerability was discovered in the GitHub Enterprise Server that could allow attackers to completely bypass authentication and gain unauthorized access to repositories and sensitive data.
The flaw tracked as CVE-2024-4985 has a CVSS severity score of 10.0, the highest possible.
GitHub Enterprise Server Flaw
The vulnerability exists in the SAML SSO authentication process of GitHub Enterprise Server versions 3.9.14/3.10.11/3.11.9/3.12.3.
It allows an attacker to send a specially crafted SAML response that would be accepted by the server even if the digital signature is invalid.
ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service
This enables the attacker to spoof any user’s identity, including admins, and access their private repositories and data. The root cause was a logic error in how SAML responses were validated.
The server checked that a SAML response was digitally signed but failed to properly verify that the signature was valid and matched the identity provider’s certificate.
Therefore, attackers could craft SAML assertions using any certificate to gain access.GitHub has published a security advisory and released patched versions 3.9.15, 3.10.12, 3.11.10, and 3.12.4, which contain a fix.
There are currently no reports of this vulnerability being exploited in the wild. However, all GitHub Enterprise Server instances should be updated immediately.
Mitigations
- Upgrade GitHub Enterprise Server to a patched version (3.9.15, 3.10.12, 3.11.10, and 3.12.4 or newer)
- If unable to immediately upgrade, enable SAML certificate pinning as a temporary mitigation
- Audit access logs for suspicious authentication activity from unknown IP addresses
- Rotate all credentials and SSH keys if you suspect unauthorized access has occurred
This severe flaw underscores the critical importance of robust input validation and security testing, especially for widely used platforms that store sensitive data like source code.
Organizations should keep their the GitHub Enterprise Server and other key systems updated to protect against potential breaches and data theft.
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers