GitHub Patches Essential Safety Flaw in Enterprise Server Granting Admin Privileges

Aug 22, 2024Ravie LakshmananEnterprise Software program / Vulnerability

GitHub has launched fixes to deal with a set of three safety flaws impacting its Enterprise Server product, together with one essential bug that might be abused to achieve web site administrator privileges.

Probably the most extreme of the shortcomings has been assigned the CVE identifier CVE-2024-6800, and carries a CVSS rating of 9.5.

“On GitHub Enterprise Server instances that use SAML single sign-on (SSO) authentication with specific IdPs utilizing publicly exposed signed federation metadata XML, an attacker could forge a SAML response to provision and/or gain access to a user account with site administrator privileges,” GitHub stated in an advisory.

Cybersecurity

The Microsoft-owned subsidiary has additionally addressed a pair of medium-severity flaws –

  • CVE-2024-7711 (CVSS rating: 5.3) – An incorrect authorization vulnerability that might permit an attacker to replace the title, assignees, and labels of any situation inside a public repository.
  • CVE-2024-6337 (CVSS rating: 5.9) – An incorrect authorization vulnerability that might permit an attacker to entry situation contents from a personal repository utilizing a GitHub App with solely contents: learn and pull requests: write permissions.

All three safety vulnerabilities have been addressed in GHES variations 3.13.3, 3.12.8, 3.11.14, and three.10.16.

Again in Could, GitHub additionally patched a essential safety vulnerability (CVE-2024-4985, CVSS rating: 10.0) that might allow unauthorized entry to an occasion with out requiring prior authentication.

Organizations which can be working a weak self-hosted model of GHES are extremely suggested to replace to the most recent model to safeguard in opposition to potential safety threats.

Discovered this text attention-grabbing? Observe us on Twitter and LinkedIn to learn extra unique content material we publish.

Recent articles

Patch Alert: Essential Apache Struts Flaw Discovered, Exploitation Makes an attempt Detected

Dec 18, 2024Ravie LakshmananCyber Assault / Vulnerability Risk actors are...

Meta Fined €251 Million for 2018 Knowledge Breach Impacting 29 Million Accounts

Dec 18, 2024Ravie LakshmananKnowledge Breach / Privateness Meta Platforms, the...