CVE-2024-4985 (CVSS 10): Critical Authentication Bypass Flaw Found in GitHub Enterprise Server
GitHub, the world’s leading software development platform, has disclosed a critical security vulnerability (CVE-2024-4985) in its self-hosted GitHub Enterprise Server (GHES) product. The vulnerability, which carries a maximum severity rating of 10 on the Common Vulnerability Scoring System (CVSS), could allow attackers to bypass authentication and gain unauthorized access to sensitive code repositories and data.
GitHub Enterprise Server is the self-hosted version of GitHub Enterprise, tailored for businesses seeking a secure and customizable environment for source code management. Installed on an organization’s own servers or private cloud, it enables collaborative development while providing robust security and administrative controls.
The flaw resides in the optional encrypted assertions feature of GHES’s SAML single sign-on (SSO) authentication mechanism. This feature, designed to enhance security, ironically became a weak link when an attacker could forge a SAML response, impersonating a legitimate user and potentially gaining administrator privileges.
This vulnerability was discovered through GitHub’s Bug Bounty program, which rewards security researchers for identifying and reporting vulnerabilities.
It is important to note that the vulnerability only affects instances where SAML SSO is enabled with encrypted assertions, which are not activated by default. Therefore, organizations not using SAML SSO or those using SAML SSO without encrypted assertions are not impacted by this security flaw.
The primary danger posed by CVE-2024-4985 is the ability of an attacker to gain unauthorized access to GHES instances. By forging a SAML response, attackers can effectively bypass authentication mechanisms and provision accounts with site administrator privileges. For organizations utilizing the vulnerable configuration, the consequences of exploitation could be dire, including unauthorized access to source code, data breaches, and potential disruption of development operations.
GitHub has acted swiftly to address the issue, releasing patches for versions 3.9.15, 3.10.12, 3.11.10, and 3.12.4 of GHES. Administrators are strongly urged to update their installations immediately to mitigate the risk of compromise.
