Update the software you are using before hackers use it for malicious purposes.
GitHub has released patches to address a serious vulnerability in GitHub Enterprise Server (GHES) that could allow attackers to bypass authentication systems.
The vulnerability, identified as CVE-2024-4985 with a maximum CVSS rating of 10.0, gives unauthorized users access to the system without prior authentication.
"On servers that use SAML authentication with the encrypted claims feature optionally enabled, an attacker could have forged a SAML response to gain access to an account with administrator rights," the company said in a statement.
GHES is a software development platform that allows organizations to store and develop software using the Git version control system and automate deployment processes.
The vulnerability affects all versions of GHES prior to 3.13.0 and was fixed in versions 3.9.15, 3.10.12, 3.11.10 and 3.12.4.
GitHub also clarified that the encrypted claims feature is not enabled by default, and the vulnerability does not affect systems that do not use SAML SSO authentication or use it without encrypted claims.
Encrypted assertions allow site administrators to enhance the security of GHES with SAML SSO by encrypting the messages that the SAML Identity Provider (IdP) sends during authentication.
Organizations that use vulnerable versions of GHES are advised to update their systems to the latest versions to protect against potential security threats.
GitHub has released patches to address a serious vulnerability in GitHub Enterprise Server (GHES) that could allow attackers to bypass authentication systems.
The vulnerability, identified as CVE-2024-4985 with a maximum CVSS rating of 10.0, gives unauthorized users access to the system without prior authentication.
"On servers that use SAML authentication with the encrypted claims feature optionally enabled, an attacker could have forged a SAML response to gain access to an account with administrator rights," the company said in a statement.
GHES is a software development platform that allows organizations to store and develop software using the Git version control system and automate deployment processes.
The vulnerability affects all versions of GHES prior to 3.13.0 and was fixed in versions 3.9.15, 3.10.12, 3.11.10 and 3.12.4.
GitHub also clarified that the encrypted claims feature is not enabled by default, and the vulnerability does not affect systems that do not use SAML SSO authentication or use it without encrypted claims.
Encrypted assertions allow site administrators to enhance the security of GHES with SAML SSO by encrypting the messages that the SAML Identity Provider (IdP) sends during authentication.
Organizations that use vulnerable versions of GHES are advised to update their systems to the latest versions to protect against potential security threats.
