Skip to the content.

DIVD-2024-00020 - Authentication Bypass in GitHub Enterprise Server (GHES)

Our reference DIVD-2024-00020
Case lead Max van der Horst
Researcher(s)
CVE(s)
Products
  • GitHub Enterprise Server
Versions
  • All versions prior to 3.13.0
Recommendation Upgrade to versions 3.9.15, 3.10.12, 3.11.10, 3.12.4, or 3.13.0 to remediate the vulnerability.
Patch status Released
Status Closed
Last modified 20 Jun 2024 19:50 CEST

Summary

An authentication bypass vulnerability was discovered in GitHub Enterprise Server (GHES) when using SAML Single Sign-On authentication with the optional encrypted assertions feature. This vulnerability allowed an attacker to forge a SAML response to provision and/or gain access to a user with site administration privileges. By doing so, this provides the attacker with unauthorized access. GitHub reassures that encrypted assertions are not turned on by default and that servers that do not use SAML Single Sign-On are not affected. All versions prior to version 3.13.0 are vulnerable.

Recommendations

Encrypted assertions allow site administrators to further secure the communication with a SAML identity provider during authentication. Therefore, it is wise to verify whether this option has been turned on for your server. The recommended remediation is to upgrade to one of the following versions:

What we are doing

DIVD is currently working to identify parties that are running a version of GitHub Enterprise Server that contains this vulnerability and notify these parties. We do this by finding GitHub Enterprise servers that are connected to the Internet and verifying their version numbers.

Unfortunately we cannot identify remotely if SAML is used and/or if it is configure with the encrypted assertions feature. Parties that are found to be running a version that contains the vulnerability will receive a notification with remediation steps.

Timeline

Date Description
27 May 2024 DIVD starts researching the vulnerability.
28 May 2024 DIVD finds fingerprint, preparing to scan.
20 Jun 2024 DIVD is unable to fingerprint vulnerable devices which are using SAML Single Sign-On authentication with the optional encrypted assertions feature enabled.
gantt title DIVD-2024-00020 - Authentication Bypass in GitHub Enterprise Server (GHES) dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2024-00020 - Authentication Bypass in GitHub Enterprise Server (GHES) (24 days) :2024-05-27, 2024-06-20 section Events DIVD starts researching the vulnerability. : milestone, 2024-05-27, 0d DIVD finds fingerprint, preparing to scan. : milestone, 2024-05-28, 0d DIVD is unable to fingerprint vulnerable devices which are using SAML Single Sign-On authentication with the optional encrypted assertions feature enabled. : milestone, 2024-06-20, 0d

More information