GitHub addressed a critical vulnerability in Enterprise Server that could allow unauthorized access to affected instances.
Code hosting platform GitHub addressed a critical vulnerability, tracked as CVE-2024-9487 (CVSS score of 9.5), in GitHub Enterprise Server that could lead to unauthorized access to affected instances.
An attacker could exploit a cryptographic signature verification flaw in GitHub Enterprise Server to bypass SAML SSOand unauthorized user access.
The flaw is an improper verification of cryptographic signature vulnerability that resides in GitHub Enterprise Server. GitHub warns that attackers could exploit a cryptographic signature verification flaw in GitHub Enterprise Server, allowing SAML SSO bypass and unauthorized user access.
To exploit this vulnerability, the attacker needed GitHub Enterprise Server’s encrypted assertions feature enabled, direct network access, and a signed SAML response or metadata document.
The flaw affects all versions of Enterprise Server prior to 3.15 and the company addressed the issue in versions 3.11.16, 3.12.10, 3.13.5, and 3.14.2. This vulnerability was reported via the company through its Bug Bounty program.
The vulnerability only affects GitHub Enterprise Server instances with encrypted assertions enabled for SAML SSO; it also requires direct network access and a signed SAML document.
“An attacker could bypass SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, allowing unauthorized provisioning of users and access to the instance, by exploiting an improper verification of cryptographic signatures vulnerability in GitHub Enterprise Server. This was a regression introduced as part of follow-up remediation from CVE-2024-4985, which resulted in a new variant of the vulnerability.” reads the advisory. “Please note that encrypted assertions are not enabled by default. Instances not utilizing SAML SSO, or utilizing SAML SSO authentication without encrypted assertions, are not impacted. Additionally, an attacker would require direct network access as well as a signed SAML response or metadata document.
The company also addressed an information disclosure vulnerability, tracked as CVE-2024-9539 (CVSS score of 5.7), in Enterprise Server. The flaw impacts versions 3.11.16, 3.12.10, 3.13.5, and 3.14.2, The vulnerability could be exploited through malicious SVG files.
“An information disclosure vulnerability was identified in GitHub Enterprise Server via attacker uploaded asset URL allowing the attacker to retrieve metadata information of a user who clicks on the URL and further exploit it to create a convincing phishing page.” reads the advisory. “This required the attacker to upload malicious SVG files and phish a victim user to click on that uploaded asset URL.”
GitHub is not aware of attacks in the wild exploiting the above vulnerabilities.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, CVE-2024-9487)