DIVD-2024-00020 - Authentication Bypass in GitHub Enterprise Server (GHES)

Summary

An authentication bypass vulnerability was discovered in GitHub Enterprise Server (GHES) when using SAML Single Sign-On authentication with the optional encrypted assertions feature. This vulnerability allowed an attacker to forge a SAML response to provision and/or gain access to a user with site administration privileges. By doing so, this provides the attacker with unauthorized access. GitHub reassures that encrypted assertions are not turned on by default and that servers that do not use SAML Single Sign-On are not affected. All versions prior to version 3.13.0 are vulnerable.

Recommendations

Encrypted assertions allow site administrators to further secure the communication with a SAML identity provider during authentication. Therefore, it is wise to verify whether this option has been turned on for your server. The recommended remediation is to upgrade to one of the following versions:

• 3.9.15
• 3.10.12
• 3.11.10
• 3.12.4
• 3.13.0

What we are doing

DIVD is currently working to identify parties that are running a version of GitHub Enterprise Server that contains this vulnerability and notify these parties. We do this by finding GitHub Enterprise servers that are connected to the Internet and verifying their version numbers.

Unfortunately we cannot identify remotely if SAML is used and/or if it is configure with the encrypted assertions feature. Parties that are found to be running a version that contains the vulnerability will receive a notification with remediation steps.

Timeline

More information

• CVE-2024-4985
• GitHub Advisory