GitHub has released an urgent fix for a trio of security defects in the GitHub Enterprise Server product and warned that hackers can exploit one of the flaws to gain site administrator privileges.
The most severe issue is tracked as CVE-2024-6800 and covers a vulnerability that allows an attacker to manipulate SAML SSO authentication to provision and/or gain access to a user account with site administrator privileges.
The vulnerability carries a CVSS severity score of 9.5/10 and is described as an XML signature wrapping bug in GitHub Enterprise Server (GHES) when utilizing SAML authentication with specific identity providers.
“This vulnerability allowed an attacker with direct network access to GitHub Enterprise Server to forge a SAML response to provision and/or gain access to a user with site administrator privileges. Exploitation of this vulnerability would allow unauthorized access to the instance without requiring prior authentication,” according to the advisory.
GitHub said the vulnerability, reported privately via its bug bounty program, affects all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.3, 3.12.8, 3.11.14, and 3.10.16.
The company also documented a pair of medium-severity flaws that allow attackers to update the title, assignees, and labels of any issue inside a public repository; and disclose the issue contents from a private repository using a GitHub App with only contents: read and pull requests: write permissions.
GitHub Enterprise Server is the self-hosted version of GitHub Enterprise. It is installed on-prem or on a private cloud and provides features of the cloud-based version of GitHub, including pull requests, code reviews, and project management tools.
Related: Critical Authentication Bypass Resolved in GitHub Enterprise Server
Related: GitHub Enterprise Server Gets New Security Capabilities
Related: Serious Vulnerability in GitHub Enterprise Earns Researcher $20,000
Related: Hackers Earn Big Bounties for GitHub Enterprise Flaw