Security
Headlines
HeadlinesLatestCVEs

Headline

GitHub Patches Critical Flaw in Enterprise Server Allowing Unauthorized Instance Access

GitHub has released security updates for Enterprise Server (GHES) to address multiple issues, including a critical bug that could allow unauthorized access to an instance. The vulnerability, tracked as CVE-2024-9487, carries a CVS score of 9.5 out of a maximum of 10.0 "An attacker could bypass SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, allowing

The Hacker News
#vulnerability#microsoft#git#auth#The Hacker News

Enterprise Security / Vulnerability

GitHub has released security updates for Enterprise Server (GHES) to address multiple issues, including a critical bug that could allow unauthorized access to an instance.

The vulnerability, tracked as CVE-2024-9487, carries a CVS score of 9.5 out of a maximum of 10.0

“An attacker could bypass SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, allowing unauthorized provisioning of users and access to the instance, by exploiting an improper verification of cryptographic signatures vulnerability in GitHub Enterprise Server,” GitHub said in an alert.

The Microsoft-owned company characterized the flaw as a regression that was introduced as part of follow-up remediation from CVE-2024-4985 (CVSS score: 10.0), a maximum severity vulnerability that was patched back in May 2024.

Also fixed by GitHub are two other shortcomings -

  • CVE-2024-9539 (CVSS score: 5.7) - An information disclosure vulnerability that could enable an attacker to retrieve metadata belonging to a victim user upon clicking malicious URLs for SVG assets

  • A sensitive data exposure in HTML forms in the management console (no CVE)

All three security vulnerabilities have been addressed in Enterprise Server versions 3.14.2, 3.13.5, 3.12.10, and 3.11.16.

Back in August, GitHub also patched a critical security defect (CVE-2024-6800, CVSS score: 9.5) that could be abused to gain site administrator privileges.

Organizations that are running a vulnerable self-hosted version of GHES are highly advised to update to the latest version to safeguard against potential security threats.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related news

THN Cybersecurity Recap: Top Threats, Tools and News (Oct 14 - Oct 20)

Hi there! Here’s your quick update on the latest in cybersecurity. Hackers are using new tricks to break into systems we thought were secure—like finding hidden doors in locked houses. But the good news? Security experts are fighting back with smarter tools to keep data safe. Some big companies were hit with attacks, while others fixed their vulnerabilities just in time. It's a constant battle.

GitHub Patches Critical Security Flaw in Enterprise Server Granting Admin Privileges

GitHub has released fixes to address a set of three security flaws impacting its Enterprise Server product, including one critical bug that could be abused to gain site administrator privileges. The most severe of the shortcomings has been assigned the CVE identifier CVE-2024-6800, and carries a CVSS score of 9.5. "On GitHub Enterprise Server instances that use SAML single sign-on (SSO)

GitHub Patches Critical Security Flaw in Enterprise Server Granting Admin Privileges

GitHub has released fixes to address a set of three security flaws impacting its Enterprise Server product, including one critical bug that could be abused to gain site administrator privileges. The most severe of the shortcomings has been assigned the CVE identifier CVE-2024-6800, and carries a CVSS score of 9.5. "On GitHub Enterprise Server instances that use SAML single sign-on (SSO)