Summary: GitHub has issued security updates for GitHub Enterprise Server to fix two vulnerabilities, including a critical flaw that could allow attackers to bypass authentication. The most severe vulnerability, CVE-2024-9487, poses a significant risk due to improper verification in the SAML SSO authentication mechanism.
Threat Actor: Unknown | unknown
Victim: GitHub Enterprise Server Users | GitHub Enterprise Server Users
Key Point :
- The critical vulnerability (CVE-2024-9487) has a CVSS score of 9.5 and allows bypassing of SAML SSO authentication.
- Exploitation requires specific conditions, including enabled “encrypted assertions” and direct network access to the server.
- A second medium severity vulnerability involves malicious URLs in SVG assets that can lead to user data exposure and phishing attacks.
- All versions prior to 3.15 are affected, and users are urged to update immediately to mitigate risks.
GitHub has released security updates to address two vulnerabilities in GitHub Enterprise Server, one of which could allow attackers to bypass authentication and gain unauthorized access.
The most severe vulnerability, CVE-2024-9487, has been assigned a CVSS score of 9.5, indicating a critical risk. This flaw resides in the platform’s SAML SSO authentication mechanism. An improper verification of cryptographic signature vulnerability was identified in GitHub Enterprise Server that allowed SAML SSO authentication to be bypassed resulting in unauthorized provisioning of users and access to the instance. Exploitation of this vulnerability, however, requires specific conditions:
- The “encrypted assertions” feature must be enabled on the GitHub Enterprise Server instance.
- The attacker needs direct network access to the server.
- The attacker must possess a valid signed SAML response or metadata document.
While these prerequisites limit the attack surface, organizations using SAML SSO with encrypted assertions are urged to update their GitHub Enterprise Server installations immediately.
The second vulnerability, classified as medium severity, involves malicious URLs embedded in SVG assets. Malicious URLs for SVG assets provided information about a victim user who clicked the URL, allowing an attacker to retrieve metadata belonging to the user and use it to generate a convincing phishing page. This attack vector requires a more complex scenario, where the attacker must first upload malicious SVGs to the server and then trick a user into clicking on the associated URL.
Both vulnerabilities affect all versions of GitHub Enterprise Server prior to 3.15 and have been addressed in the following releases:
GitHub urges all users of Enterprise Server to update to a patched version as soon as possible to mitigate these security risks.