GitHub Patches Critical Flaw in Enterprise Server Allowing Unauthorized Instance Access

October 16, 2024 at 01:42AM GitHub has released security updates for Enterprise Server (GHES) addressing a critical vulnerability (CVE-2024-9487) that could enable unauthorized access via SAML SSO. The flaw has a CVSS score of 9.5. Additional vulnerabilities were also patched. Users are urged to update to the latest versions for enhanced security. ### Meeting Takeaways … Read more

GitHub Enterprise Server vulnerable to critical auth bypass flaw

August 21, 2024 at 10:22AM A critical vulnerability, CVE-2024-6800, in GitHub Enterprise Server allows an attacker to gain admin privileges by exploiting a problem with SAML authentication. Over 36,500 GHES instances are accessible online, mostly in the US. GitHub has released fixed versions and warns of potential errors and issues during the update process. Based … Read more

GitHub Authentication Bypass Opens Enterprise Server to Attackers

May 22, 2024 at 03:58PM A critical security bug (CVE-2024-4985, CVSS 10) in GitHub Enterprise Server affects SAML SSO implementations with encrypted assertions. Attackers can create fake SAML responses to obtain admin privileges. Versions before 3.13.0 are vulnerable, but emergency fixes are available in versions 3.9.15, 3.10.12, 3.11.10, and 3.12.4. Key takeaways from the meeting … Read more

Critical Authentication Bypass Resolved in GitHub Enterprise Server

May 22, 2024 at 09:03AM GitHub has released patches for a critical-severity vulnerability in Enterprise Server, impacting instances using SAML SSO authentication and encrypted assertions. The CVE-2024-4985 vulnerability allows unauthorized access to administrative privileges. GitHub advises updating to patched releases 3.9.15, 3.10.12, 3.11.10, or 3.12.4 to mitigate the risk. Users are urged to prioritize implementing … Read more

GitHub Enterprise Server patches 10-outta-10 critical hole

May 22, 2024 at 03:35AM GitHub patched a critical security flaw in its Enterprise Server software with the release of version p3.13.0, impacting instances using SAML SSO authentication. The bug, CVE-2024-4985, allows attackers to gain admin privileges when encrypted assertions are enabled. Microsoft-owned GitHub learned about the flaw through its bug bounty program, rewarding the … Read more