Security
Headlines
HeadlinesLatestCVEs

Headline

GitHub Patches Critical Security Flaw in Enterprise Server Granting Admin Privileges

GitHub has released fixes to address a set of three security flaws impacting its Enterprise Server product, including one critical bug that could be abused to gain site administrator privileges. The most severe of the shortcomings has been assigned the CVE identifier CVE-2024-6800, and carries a CVSS score of 9.5. "On GitHub Enterprise Server instances that use SAML single sign-on (SSO)

The Hacker News
#vulnerability#microsoft#git#auth#The Hacker News

Enterprise Software / Vulnerability

GitHub has released fixes to address a set of three security flaws impacting its Enterprise Server product, including one critical bug that could be abused to gain site administrator privileges.

The most severe of the shortcomings has been assigned the CVE identifier CVE-2024-6800, and carries a CVSS score of 9.5.

“On GitHub Enterprise Server instances that use SAML single sign-on (SSO) authentication with specific IdPs utilizing publicly exposed signed federation metadata XML, an attacker could forge a SAML response to provision and/or gain access to a user account with site administrator privileges,” GitHub said in an advisory.

The Microsoft-owned subsidiary has also addressed a pair of medium-severity flaws -

  • CVE-2024-7711 (CVSS score: 5.3) - An incorrect authorization vulnerability that could allow an attacker to update the title, assignees, and labels of any issue inside a public repository.

  • CVE-2024-6337 (CVSS score: 5.9) - An incorrect authorization vulnerability that could allow an attacker to access issue contents from a private repository using a GitHub App with only contents: read and pull requests: write permissions.

All three security vulnerabilities have been addressed in GHES versions 3.13.3, 3.12.8, 3.11.14, and 3.10.16.

Back in May, GitHub also patched a critical security vulnerability (CVE-2024-4985, CVSS score: 10.0) that could permit unauthorized access to an instance without requiring prior authentication.

Organizations that are running a vulnerable self-hosted version of GHES are highly advised to update to the latest version to safeguard against potential security threats.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related news

GitHub Patches Critical Flaw in Enterprise Server Allowing Unauthorized Instance Access

GitHub has released security updates for Enterprise Server (GHES) to address multiple issues, including a critical bug that could allow unauthorized access to an instance. The vulnerability, tracked as CVE-2024-9487, carries a CVS score of 9.5 out of a maximum of 10.0 "An attacker could bypass SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, allowing

The Hacker News: Latest News

AI Could Generate 10,000 Malware Variants, Evading Detection in 88% of Case