July 25, 2024 at 03:59PM Truffle Security researchers discovered a vulnerability termed CFOR, allowing data access from deleted GitHub repository forks. Accessing a deleted commit through the original repo’s fork poses security risks. GitHub views this as an intended feature, not a flaw. The platform contains lingering “dangling commits” even after deletion. Truffle Security advises … Read more
May 22, 2024 at 03:58PM A critical security bug (CVE-2024-4985, CVSS 10) in GitHub Enterprise Server affects SAML SSO implementations with encrypted assertions. Attackers can create fake SAML responses to obtain admin privileges. Versions before 3.13.0 are vulnerable, but emergency fixes are available in versions 3.9.15, 3.10.12, 3.11.10, and 3.12.4. Key takeaways from the meeting … Read more
January 8, 2024 at 08:36AM Security researchers warn that tens of thousands of public GitHub repositories are vulnerable to malicious code injection via self-hosted GitHub Actions runners, posing high-impact supply chain attack risks. These attacks can be launched using self-hosted runners, allowing malicious code execution and persistence. Exploitation of this vulnerability has led to significant … Read more