GitHub has launched fixes to handle a set of three security flaws impacting its Enterprise Server product, together with one important bug that might be abused to achieve website administrator privileges.
Essentially the most extreme of the shortcomings has been assigned the CVE identifier CVE-2024-6800, and carries a CVSS rating of 9.5.
“On GitHub Enterprise Server situations that use SAML single sign-on (SSO) authentication with particular IdPs using publicly uncovered signed federation metadata XML, an attacker may forge a SAML response to provision and/or achieve entry to a person account with website administrator privileges,” GitHub stated in an advisory.
The Microsoft-owned subsidiary has additionally addressed a pair of medium-severity flaws –
- CVE-2024-7711 (CVSS rating: 5.3) – An incorrect authorization vulnerability that would permit an attacker to replace the title, assignees, and labels of any situation inside a public repository.
- CVE-2024-6337 (CVSS rating: 5.9) – An incorrect authorization vulnerability that would permit an attacker to entry situation contents from a personal repository utilizing a GitHub App with solely contents: learn and pull requests: write permissions.
All three security vulnerabilities have been addressed in GHES variations 3.13.3, 3.12.8, 3.11.14, and three.10.16.
Again in Could, GitHub additionally patched a important security vulnerability (CVE-2024-4985, CVSS rating: 10.0) that would allow unauthorized entry to an occasion with out requiring prior authentication.
Organizations which can be working a weak self-hosted model of GHES are extremely suggested to replace to the most recent model to safeguard towards potential security threats.
