GitHub has issued an update to fix a critical vulnerability in its GitHub Enterprise Server (GHES) with a maximum CVSS score of 10.
The Microsoft-owned developer platform explained this week that CVE-2024-4985 was discovered via its GitHub Bug Bounty Program.
It’s described as an authentication bypass vulnerability which could allow unauthorized access to a targeted instance without requiring prior authentication. It impacts all versions of GHES prior to 3.13.0
However, the configuration of the GHES will determine whether it is exposed to potential exploitation, as only those using optional encrypted assertions and SAML single sign-on are impacted, GitHub explained.
“On instances that use SAML SSO authentication with the optional encrypted assertions feature, an attacker could forge a SAML response to provision and/or gain access to a user with administrator privileges,” it noted.
“Please note that encrypted assertions are not enabled by default. Instances not utilizing SAML SSO or utilizing SAML SSO authentication without encrypted assertions are not impacted. Exploitation of this vulnerability would allow unauthorized access to the instance without requiring prior authentication.”
Read more on GitHub threats: Millions Face RepoJacking Risk on GitHub Repositories
GHES is a popular self-hosted platform that enables organizations to build and ship their own software using Git version control, APIs, productivity and collaboration tools, and third-party integrations.
Hackuity VP of strategy, Sylvain Cortes, warned that the CVSS score of 10 means users are at an “incredibly high risk” of attacker network break-ins.
“We know that patching continues to be a challenge for many organizations, but this latest vulnerability is yet another prime example of why security teams must keep on top of the most prevalent issues within their network,” he added.
“GitHub has issued an urgent patch for a reason – users of their Enterprise Server software should prioritize implementing this, and any other critical vulnerability patches, before it’s too late.”
The bug has been fixed in GHES versions 3.9.15, 3.10.12, 3.11.10 and 3.12.4.