GitHub Enterprise Server Patches Critical Security Flaw – CVE-2024-9487 (CVSS 9.5)
GitHub has released security updates to address two vulnerabilities in GitHub Enterprise Server, one of which could allow attackers to bypass authentication and gain unauthorized access.
The most severe vulnerability, CVE-2024-9487, has been assigned a CVSS score of 9.5, indicating a critical risk. This flaw resides in the platform’s SAML SSO authentication mechanism. An improper verification of cryptographic signature vulnerability was identified in GitHub Enterprise Server that allowed SAML SSO authentication to be bypassed resulting in unauthorized provisioning of users and access to the instance. Exploitation of this vulnerability, however, requires specific conditions:
- The “encrypted assertions” feature must be enabled on the GitHub Enterprise Server instance.
- The attacker needs direct network access to the server.
- The attacker must possess a valid signed SAML response or metadata document.
While these prerequisites limit the attack surface, organizations using SAML SSO with encrypted assertions are urged to update their GitHub Enterprise Server installations immediately.
The second vulnerability, classified as medium severity, involves malicious URLs embedded in SVG assets. Malicious URLs for SVG assets provided information about a victim user who clicked the URL, allowing an attacker to retrieve metadata belonging to the user and use it to generate a convincing phishing page. This attack vector requires a more complex scenario, where the attacker must first upload malicious SVGs to the server and then trick a user into clicking on the associated URL.
Both vulnerabilities affect all versions of GitHub Enterprise Server prior to 3.15 and have been addressed in the following releases:
GitHub urges all users of Enterprise Server to update to a patched version as soon as possible to mitigate these security risks.
