Code hosting platform GitHub has released patches for a critical-severity vulnerability in GitHub Enterprise Server that could lead to unauthorized access to affected instances.
Tracked as CVE-2024-9487 (CVSS score of 9.5), the bug was introduced in May 2024 as part of the remediations released for CVE-2024-4985, a critical authentication bypass defect allowing attackers to forge SAML responses and gain administrative access to the Enterprise Server.
According to the Microsoft-owned platform, the newly resolved flaw is a variant of the initial vulnerability, also leading to authentication bypass.
“An attacker could bypass SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, allowing unauthorized provisioning of users and access to the instance, by exploiting an improper verification of cryptographic signatures vulnerability in GitHub Enterprise Server,” GitHub notes in an advisory.
The code hosting platform points out that encrypted assertions are not enabled by default and that Enterprise Server instances not configured with SAML SSO, or which rely on SAML SSO authentication without encrypted assertions, are not vulnerable.
“Additionally, an attacker would require direct network access as well as a signed SAML response or metadata document,” GitHub notes.
The vulnerability was resolved in GitHub Enterprise Server versions 3.11.16, 3.12.10, 3.13.5, and 3.14.2, which also address a medium-severity information disclosure bug that could be exploited through malicious SVG files.
To successfully exploit the issue, which is tracked as CVE-2024-9539, an attacker would need to convince a user to click on an uploaded asset URL, allowing them to retrieve metadata information of the user and “further exploit it to create a convincing phishing page”.
GitHub says that both vulnerabilities were reported via its bug bounty program and makes no mention of any of them being exploited in the wild.
GitHub Enterprise Server version 3.14.2 also fixes a sensitive data exposure issue in HTML forms in the management console by removing the ‘Copy Storage Setting from Actions’ functionality.
Related: GitLab Patches Pipeline Execution, SSRF, XSS Vulnerabilities
Related: GitHub Makes Copilot Autofix Generally Available
Related: Court Data Exposed by Vulnerabilities in Software Used by US Government: Researcher
Related: Critical Exim Flaw Allows Attackers to Deliver Malicious Executables to Mailboxes