- "기밀 VM의 빈틈을 메운다" 마이크로소프트의 오픈소스 파라바이저 '오픈HCL'란?
- The best early Black Friday AirPods deals: Shop early deals
- The 19 best Black Friday headphone deals 2024: Early sales live now
- I tested the iPad Mini 7 for a week, and its the ultraportable tablet to beat at $100 off
- The best Black Friday deals 2024: Early sales live now
GitHub Fixes Maximum Severity Flaw in Enterprise Server
GitHub has issued an update to fix a critical vulnerability in its GitHub Enterprise Server (GHES) with a maximum CVSS score of 10.
The Microsoft-owned developer platform explained this week that CVE-2024-4985 was discovered via its GitHub Bug Bounty Program.
It’s described as an authentication bypass vulnerability which could allow unauthorized access to a targeted instance without requiring prior authentication. It impacts all versions of GHES prior to 3.13.0
However, the configuration of the GHES will determine whether it is exposed to potential exploitation, as only those using optional encrypted assertions and SAML single sign-on are impacted, GitHub explained.
“On instances that use SAML SSO authentication with the optional encrypted assertions feature, an attacker could forge a SAML response to provision and/or gain access to a user with administrator privileges,” it noted.
“Please note that encrypted assertions are not enabled by default. Instances not utilizing SAML SSO or utilizing SAML SSO authentication without encrypted assertions are not impacted. Exploitation of this vulnerability would allow unauthorized access to the instance without requiring prior authentication.”
Read more on GitHub threats: Millions Face RepoJacking Risk on GitHub Repositories
GHES is a popular self-hosted platform that enables organizations to build and ship their own software using Git version control, APIs, productivity and collaboration tools, and third-party integrations.
Hackuity VP of strategy, Sylvain Cortes, warned that the CVSS score of 10 means users are at an “incredibly high risk” of attacker network break-ins.
“We know that patching continues to be a challenge for many organizations, but this latest vulnerability is yet another prime example of why security teams must keep on top of the most prevalent issues within their network,” he added.
“GitHub has issued an urgent patch for a reason – users of their Enterprise Server software should prioritize implementing this, and any other critical vulnerability patches, before it’s too late.”
The bug has been fixed in GHES versions 3.9.15, 3.10.12, 3.11.10 and 3.12.4.
