October 16, 2024 at 01:42AM
GitHub has released security updates for Enterprise Server (GHES) addressing a critical vulnerability (CVE-2024-9487) that could enable unauthorized access via SAML SSO. The flaw has a CVSS score of 9.5. Additional vulnerabilities were also patched. Users are urged to update to the latest versions for enhanced security.
### Meeting Takeaways – October 16, 2024
1. **GitHub Security Updates Released**:
– GitHub has issued security updates for Enterprise Server (GHES) to address critical vulnerabilities.
2. **Critical Vulnerability – CVE-2024-9487**:
– **CVSS Score**: 9.5 (Critical).
– **Issue**: Unauthorized access due to improper verification of cryptographic signatures, allowing bypass of SAML single sign-on (SSO) authentication.
– **Impact**: Attackers could provision users and access the instance without authorization.
3. **Related Vulnerability – CVE-2024-4985**:
– The new flaw is a regression from a previously patched critical vulnerability (score: 10.0) addressed in May 2024.
4. **Additional Vulnerabilities**:
– **CVE-2024-9539**: CVSS Score of 5.7, information disclosure vulnerability related to SVG assets, allowing metadata retrieval via malicious URLs.
– Sensitive data exposure in HTML forms discovered in the management console (no CVE assigned).
5. **Versions Affected**:
– The vulnerabilities are fixed in the following GHES versions:
– 3.14.2
– 3.13.5
– 3.12.10
– 3.11.16
6. **Previous Critical Flaw**:
– In August, GitHub patched another critical vulnerability (CVE-2024-6800) with a CVSS score of 9.5, which could allow unauthorized site administrator access.
7. **Action Recommended**:
– Organizations using vulnerable self-hosted versions of GHES should urgently update to the latest version to mitigate security threats.
8. **Engagement Encouraged**:
– For more insights, follow GitHub on Twitter and LinkedIn.
—
These points summarize the critical updates discussed regarding GitHub’s recent security vulnerabilities and the recommended actions for organizations to secure their systems.