GitHub fixes maximum severity Enterprise Server auth bypass bug (CVE-2024-4985)

A critical, 10-out-of-10 vulnerability (CVE-2024-4985) allowing unrestricted access to vulnerable GitHub Enterprise Server (GHES) instances has been fixed by Microsoft-owned GitHub.


Fortunately, there is a catch that may narrow down the pool of potential victims: instances are vulnerable to attack only if they use SAML single sign-on (SSO) authentication AND have the (optional) encrypted assertions feature enabled.

About CVE-2024-4985

GitHub Enterprise Server is a software development platform that organizations host either on-premises or on a public cloud service. Instances run a Linux operating system with a custom application stack.

“GitHub Enterprise Server runs on your infrastructure and is governed by access and security controls that you define, such as firewalls, network policies, IAM, monitoring, and VPNs. GitHub Enterprise Server is suitable for use by enterprises that are subject to regulatory compliance, which helps to avoid issues that arise from software development platforms in the public cloud,” GitHub explains.

Reported via the company’s bug bounty program, CVE-2024-4985 stems from an incorrect implementation of an authentication algorithm.

The vulnerability may allow an unauthorized attacker to forge a SAML response to provision or gain access to a user with site administrator privileges, thus bypassing any authentication requirements.

Fixes are available

CVE-2024-4985 affects all versions of GitHub Enterprise Server prior to 3.13.0, and has been fixed in versions 3.9.15, 3.10.12, 3.11.10 and 3.12.4.

“Please note that encrypted assertions are not enabled by default. Instances not utilizing SAML SSO or utilizing SAML SSO authentication without encrypted assertions are not impacted,” the company said in the software release notes.

It then stands to reason that, if upgrading is currently impossible, disabling SAML SSO or just the encrypted assertions feature should temporarily prevent exploitation of the issue.



Don't miss