Critical GitHub Enterprise Server Flaw Allows Authentication Bypass

Critical GitHub Enterprise Server Flaw Allows Authentication Bypass

Technology

May 21, 2024NewsroomVulnerability / Software Development

Critical GitHub Enterprise Server Flaw Allows Authentication Bypass

GitHub has rolled out fixes to address a maximum severity flaw in the GitHub Enterprise Server (GHES) that could allow an attacker to bypass authentication protections.

Tracked as CVE-2024-4985 (CVSS score: 10.0), the issue could permit unauthorized access to an instance without requiring prior authentication.

“On instances that use SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, an attacker could forge a SAML response to provision and/or gain access to a user with administrator privileges,” the company said in an advisory.

GHES is a self-hosted platform for software development, allowing organizations to store and build software using Git version control as well as automate the deployment pipeline.

Cybersecurity

The issue impacts all versions of GHES prior to 3.13.0 and has been addressed in versions 3.9.15, 3.10.12, 3.11.10 and 3.12.4.

GitHub further noted that encrypted assertions are not enabled by default and that the flaw does not affect instances that do not utilize SAML single sign-on (SSO) or those that use SAML SSO authentication without encrypted assertions.

Encrypted assertions allow site administrators to improve a GHES instance’s security with SAML SSO by encrypting the messages that the SAML identity provider (IdP) sends during the authentication process.

Organizations that are using a vulnerable version of GHES are recommended to update to the latest version to secure against potential security threats.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Read original source here.

Products You May Like

Articles You May Like

Trump’s Defense Secretary Pete Hegseth Is the Pentagon’s Reckoning
Man hurt in Beverly Hills crash involving carjacker shares update – NBC Los Angeles
Super Micro hires new auditor to maintain Nasdaq listing; shares pop
Hacker Has The Testimony Of Underage Girl Matt Gaetz Allegedly Had Sex With
Sundance Head Shares Video Update Following Accidental Shooting: “I Was Sure That I Was Gonna Die”