- La colaboración entre Seguridad y FinOps puede generar beneficios ocultos en la nube
- El papel del CIO en 2024: una retrospectiva del año en clave TI
- How control rooms help organizations and security management
- ITDM 2025 전망 | “효율경영 시대의 핵심 동력 ‘데이터 조직’··· 내년도 활약 무대 더 커진다” 쏘카 김상우 본부장
- 세일포인트 기고 | 2025년을 맞이하며… 머신 아이덴티티의 부상이 울리는 경종
GitHub Fixes Maximum Severity Flaw in Enterprise Server
GitHub has issued an update to fix a critical vulnerability in its GitHub Enterprise Server (GHES) with a maximum CVSS score of 10.
The Microsoft-owned developer platform explained this week that CVE-2024-4985 was discovered via its GitHub Bug Bounty Program.
It’s described as an authentication bypass vulnerability which could allow unauthorized access to a targeted instance without requiring prior authentication. It impacts all versions of GHES prior to 3.13.0
However, the configuration of the GHES will determine whether it is exposed to potential exploitation, as only those using optional encrypted assertions and SAML single sign-on are impacted, GitHub explained.
“On instances that use SAML SSO authentication with the optional encrypted assertions feature, an attacker could forge a SAML response to provision and/or gain access to a user with administrator privileges,” it noted.
“Please note that encrypted assertions are not enabled by default. Instances not utilizing SAML SSO or utilizing SAML SSO authentication without encrypted assertions are not impacted. Exploitation of this vulnerability would allow unauthorized access to the instance without requiring prior authentication.”
Read more on GitHub threats: Millions Face RepoJacking Risk on GitHub Repositories
GHES is a popular self-hosted platform that enables organizations to build and ship their own software using Git version control, APIs, productivity and collaboration tools, and third-party integrations.
Hackuity VP of strategy, Sylvain Cortes, warned that the CVSS score of 10 means users are at an “incredibly high risk” of attacker network break-ins.
“We know that patching continues to be a challenge for many organizations, but this latest vulnerability is yet another prime example of why security teams must keep on top of the most prevalent issues within their network,” he added.
“GitHub has issued an urgent patch for a reason – users of their Enterprise Server software should prioritize implementing this, and any other critical vulnerability patches, before it’s too late.”
The bug has been fixed in GHES versions 3.9.15, 3.10.12, 3.11.10 and 3.12.4.