close
close

first Drop

Com TW NOw News 2024

GitHub fixes critical security flaw in Enterprise Server that grants administrative privileges
news

GitHub fixes critical security flaw in Enterprise Server that grants administrative privileges

August 22, 2024Ravie LakshmananBusiness Software / Vulnerability

GitHub fixes critical security flaw in Enterprise Server that grants administrative privileges

GitHub has released fixes for a set of three security vulnerabilities affecting its Enterprise Server product, including a critical bug that could be exploited to gain site administrator privileges.

The most serious flaw has been assigned the CVE identifier CVE-2024-6800 and a CVSS score of 9.5.

“On GitHub Enterprise Server instances using SAML single sign-on (SSO) authentication with specific IdPs using publicly accessible signed federation metadata XML, an attacker can forge a SAML response to provision and/or gain access to a user account with site administrator privileges,” GitHub said in an advisory.

Cyber ​​Security

The Microsoft subsidiary also addressed two medium severity bugs:

  • CVE-2024-7711 (CVSS score: 5.3) – An improper authorization vulnerability that could allow an attacker to update the title, assignments, and labels of an issue in a public repository.
  • CVE-2024-6337 (CVSS score: 5.9) – An improper authorization vulnerability that could allow an attacker to access the contents of an issue in a private repository using a GitHub app with only content: read and pull request: write permissions.

All three security vulnerabilities have been fixed in GHES versions 3.13.3, 3.12.8, 3.11.14 and 3.10.16.

In May, GitHub also patched a critical security vulnerability (CVE-2024-4985, CVSS score: 10.0) that allowed unauthorized access to an instance without requiring prior authentication.

Organizations using a vulnerable self-hosted version of GHES are strongly advised to update to the latest version to protect themselves from potential security risks.

Did you find this article interesting? Follow us Twitter and LinkedIn to read more exclusive content we post.