Critical GitHub Enterprise Server auth bypass flaw fixed (CVE-2024-6800)
A critical vulnerability (CVE-2024-6800) affecting all currently supported versions of GitHub Enterprise Server (GHES) may allow attackers to gain unrestricted access to the instance’s contents.
The issue, reported via the GitHub Bug Bounty program, has been addressed and administrators are advised to update quickly.
About CVE-2024-6800
GitHub Enterprise Server is a software development platform that organizations often self-host on-premises, usually to comply with specific regulations that require more control/security over their code repositories.
It comes in the form of a self-contained virtual appliance that’s installed on a virtual machine. The instance runs Linux with a custom application stack.
According to the software’s release notes, CVE-2024-6800 is an XML signature wrapping vulnerability that allows attackers to bypass authentication requirements, but only if the instance uses SAML single sign-on (SSO) authentication with specific [identity providers] utilizing publicly exposed signed federation metadata XML.
The flaw allows an attacker with direct network access to GitHub Enterprise Server to forge a SAML response to provision and/or gain access to a user with site administrator privileges.
Security updates available
Organizations running GitHub Enterprise Server instances on their own infrastructure and use SAML SSO authentication are advised to upgrade to one of the fixed GHES versions:
- 3.13.3
- 3.12.8
- 3.11.14
- 3.10.16
Though organizations that are still on the 3.10 branch might consider switching to a newer one, since v3.10 will be discontinued on August 29, 2024, and will not be receiving patches or security fixes from that point on.
GitHub does not mention possible mitigations or temporary workarounds for the issue.