GitHub has fastened a most severity (CVSS v4 rating: 10.0) authentication bypass vulnerability tracked as CVE-2024-4986, which impacts GitHub Enterprise Server (GHES) situations utilizing SAML single sign-on (SSO) authentication.
Exploiting the flaw would enable a risk actor to forge a SAML response and achieve administrator privileges, offering unrestricted entry to all of the occasion’s contents with out requiring any authentication.
GHES is a self-hosted model of GitHub designed for organizations that favor to retailer repositories on their very own servers or personal cloud environments.
It caters to the wants of huge enterprises or growth groups that require better management over their belongings, entities dealing with delicate or proprietary information, organizations with high-performance wants, and customers requiring offline entry capabilities.
The flaw, which was submitted to GitHub’s Bug Bounty program, solely impacts situations using Safety Assertion Markup Language (SAML) SSO with encrypted assertions. This elective function protects information in opposition to interception (man-in-the-middle assaults).
“On situations that use SAML single sign-on (SSO) authentication with the elective encrypted assertions function, an attacker might forge a SAML response to provision and/or achieve entry to a person with administrator privileges.” – GitHub.
On account of encrypted assertions not being the default setting on GHES, CVE-2024-4986 solely impacts situations whose directors have enabled the security function.
The vulnerability has been fastened in GHEL variations 3.12.4, 3.11.10, 3.10.12, and 3.9.15, all launched yesterday, on Could 20.
Recognized points with the replace embody:
- Customized firewall guidelines are wiped.
- “No such object” error throughout configuration validation for Pocket book and Viewscreen providers. (could be ignored)
- Administration Console root admin account doesn’t unlock robotically after lockout. (requires SSH entry to unlock)
- TLS-enabled log forwarding fails as CA bundles uploaded utilizing ghe-ssl-ca-certificate-install usually are not revered.
- The mbind: Operation not permitted error in MySQL logs could be ignored.
- AWS situations could lose system time synchronization after a reboot.
- All consumer IPs seem as 127.0.0.1 in audit logs when utilizing the X-Forwarded-For header behind a load balancer.
- Massive .adoc recordsdata could not render within the net UI however can be found as plaintext.
- Backup restoration with ghe-restore could fail if Redis hasn’t restarted correctly.
- Repositories imported utilizing ghe-migrator don’t monitor Superior Safety contributions accurately.
- GitHub Actions workflows for GitHub Pages could fail; repair requires particular SSH instructions. (repair supplied within the bulletin)
Regardless of these points, these utilizing the susceptible configuration (SAML SSO + encrypted assertions) ought to instantly transfer to a protected GHEL model.
