May 21, 2024 at 01:22PM
GitHub has addressed a critical flaw (CVE-2024-4985) in GitHub Enterprise Server, allowing unauthorized access on instances using SAML SSO with encrypted assertions. The issue affects versions prior to 3.13.0 and has been fixed in versions 3.9.15, 3.10.12, 3.11.10, and 3.12.4. Organizations using vulnerable versions are advised to update for security.
The meeting notes from May 21, 2024, highlighted a significant vulnerability in the GitHub Enterprise Server (GHES), specifically a maximum severity flaw identified as CVE-2024-4985 with a CVSS score of 10.0. This flaw could enable unauthorized access to an instance without requiring prior authentication, particularly affecting instances that use SAML single sign-on (SSO) authentication with the optional encrypted assertions feature.
The vulnerable versions of GHES include all versions prior to 3.13.0, with the issue addressed in versions 3.9.15, 3.10.12, 3.11.10, and 3.12.4. It was emphasized that encrypted assertions are not enabled by default, and instances not utilizing SAML single sign-on (SSO) or using SAML SSO authentication without encrypted assertions are not impacted.
The company recommended that organizations using a vulnerable version of GHES update to the latest version to safeguard against potential security threats.
Please let me know if you need further information or if there is anything else you would like to be included.