GitHub has rolled out fixes to handle a most severity flaw within the GitHub Enterprise Server (GHES) that might enable an attacker to bypass authentication protections.
Tracked as CVE-2024-4985 (CVSS rating: 10.0), the problem might allow unauthorized entry to an occasion with out requiring prior authentication.
“On cases that use SAML single sign-on (SSO) authentication with the non-obligatory encrypted assertions characteristic, an attacker might forge a SAML response to provision and/or achieve entry to a consumer with administrator privileges,” the corporate stated in an advisory.
GHES is a self-hosted platform for software program growth, permitting organizations to retailer and construct software program utilizing Git model management in addition to automate the deployment pipeline.
The problem impacts all variations of GHES prior to three.13.0 and has been addressed in variations 3.9.15, 3.10.12, 3.11.10 and three.12.4.
GitHub additional famous that encrypted assertions will not be enabled by default and that the flaw doesn’t have an effect on cases that don’t make the most of SAML single sign-on (SSO) or people who use SAML SSO authentication with out encrypted assertions.
Encrypted assertions enable website directors to enhance a GHES occasion’s security with SAML SSO by encrypting the messages that the SAML id supplier (IdP) sends through the authentication course of.
Organizations which are utilizing a weak model of GHES are beneficial to replace to the most recent model to safe towards potential security threats.
