August 21, 2024 at 12:54PM
GitHub has issued a critical fix for security vulnerabilities found in its Enterprise Server product. One flaw, CVE-2024-6800, allows attackers to manipulate SAML SSO authentication to gain site administrator privileges, with a severity score of 9.5/10. The vulnerabilities affect versions prior to 3.14 and were fixed in subsequent releases. Two medium-severity flaws were also documented.
From the meeting notes, the key takeaway is that GitHub has released an urgent fix for a trio of security defects in the GitHub Enterprise Server product. The most severe issue is tracked as CVE-2024-6800 and allows an attacker to manipulate SAML SSO authentication to gain site administrator privileges. This vulnerability has a CVSS severity score of 9.5/10 and affects all versions of GitHub Enterprise Server prior to 3.14. The company fixed the issue in versions 3.13.3, 3.12.8, 3.11.14, and 3.10.16.
Additionally, GitHub has documented a pair of medium-severity flaws related to updating issue details in public repositories and disclosing issue contents from private repositories using a GitHub App. These issues also require attention.
It’s important to ensure that the GitHub Enterprise Server is updated to the fixed versions to mitigate these security vulnerabilities and to keep the instance secure.