GitHub has rolled out fixes to deal with a most severity flaw within the GitHub Enterprise Server (GHES) that would permit an attacker to bypass authentication protections.
Tracked as CVE-2024-4985 (CVSS rating: 10.0), the difficulty might allow unauthorized entry to an occasion with out requiring prior authentication.
“On instances that use SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, an attacker could forge a SAML response to provision and/or gain access to a user with administrator privileges,” the corporate mentioned in an advisory.
GHES is a self-hosted platform for software program growth, permitting organizations to retailer and construct software program utilizing Git model management in addition to automate the deployment pipeline.
The problem impacts all variations of GHES prior to three.13.0 and has been addressed in variations 3.9.15, 3.10.12, 3.11.10 and three.12.4.
GitHub additional famous that encrypted assertions aren’t enabled by default and that the flaw doesn’t have an effect on cases that don’t make the most of SAML single sign-on (SSO) or people who use SAML SSO authentication with out encrypted assertions.
Encrypted assertions permit website directors to enhance a GHES occasion’s safety with SAML SSO by encrypting the messages that the SAML identification supplier (IdP) sends throughout the authentication course of.
Organizations which are utilizing a susceptible model of GHES are really helpful to replace to the newest model to safe in opposition to potential safety threats.
