CVE-2024-4985: Urgent Patch for GHES Authentication Vulnerability

GitHub has released patches to address a critical vulnerability in GitHub Enterprise Server (GHES) that could allow attackers to bypass authentication systems.

The vulnerability, identified as CVE-2024-4985 with a maximum CVSS rating of 10.0, permits unauthorized users to access the system without prior authentication.

“On instances that use SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, an attacker could forge a SAML response to provision and/or gain access to a user with administrator privileges,” the company stated.

GHES is a software development platform that enables organizations to store and develop software using the Git version control system and automate deployment processes.

The vulnerability affects all versions of GHES up to 3.13.0 and has been remedied in versions 3.9.15, 3.10.12, 3.11.10, and 3.12.4.

GitHub also clarified that the encrypted assertions feature is not enabled by default, and the vulnerability does not affect systems that do not use SAML SSO authentication or use it without encrypted assertions.

Encrypted assertions allow site administrators to enhance GHES security with SAML SSO by encrypting messages sent by the SAML identity provider (IdP) during the authentication process.

Organizations using vulnerable versions of GHES are advised to update their systems to the latest versions to protect against potential security threats.