{ "file_item": { "filepath": "security-advisories", "filename": "CERT-EU-SA2024-047.pdf" }, "title": "Critical Vulnerability in GitHub Enterprise Server", "serial_number": "2024-047", "publish_date": "22-05-2024 17:53:23", "description": "On May 21, 2024, GitHub disclosed a critical vulnerability in GitHub Enterprise Server (GHES) impacting instances using SAML single sign-on (SSO) with encrypted assertions. This vulnerability allows attackers to forge SAML responses, granting unauthorised administrative access without authentication.
\nA proof of concept is publicly available. CERT-EU strongly recommends updating as soon as possible.
\n", "url_title": "2024-047", "content_markdown": "---\ntitle: 'Critical Vulnerability in\u00a0GitHub\u00a0Enterprise\u00a0Server'\nnumber: '2024-047'\nversion: '1.0'\noriginal_date: 'May 21, 2024'\ndate: 'May 22, 2024'\n---\n\n_History:_\n\n* _22/05/2024 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn May 21, 2024, GitHub disclosed a critical vulnerability in GitHub Enterprise Server (GHES) impacting instances using SAML single sign-on (SSO) with encrypted assertions. This vulnerability allows attackers to forge SAML responses, granting unauthorised administrative access without authentication. [1]\n\nA proof of concept is publicly available. CERT-EU strongly recommends updating as soon as possible. [2]\n\n# Technical Details\n\nThe vulnerability `CVE-2024-4985`, with a CVSS score of 10, involves SAML SSO with the optional encrypted assertions feature. An attacker could forge a SAML claim that contains correct user information. When GHES processes a fake SAML claim, it will not be able to validate its signature correctly, allowing an attacker to gain access to the GHES instance.\n\n# Affected Products\n\nThe following GitHub Enterprise Server versions are affected:\n\n- 3.12.0 to 3.12.3;\n- 3.11.0 to 3.11.9;\n- 3.10.0 to 3.10.11;\n- 3.9.0 to 3.9.14.\n\nOnly instances using SAML single sign-on (SSO) authentication are affected.\n\n# Recommendations\n\nCERT-EU strongly recommends updating as soon as possible.\n\n# References\n\n[1] \n\n[2] \n", "content_html": "

History:

Summary

On May 21, 2024, GitHub disclosed a critical vulnerability in GitHub Enterprise Server (GHES) impacting instances using SAML single sign-on (SSO) with encrypted assertions. This vulnerability allows attackers to forge SAML responses, granting unauthorised administrative access without authentication. [1]

A proof of concept is publicly available. CERT-EU strongly recommends updating as soon as possible. [2]

Technical Details

The vulnerability CVE-2024-4985, with a CVSS score of 10, involves SAML SSO with the optional encrypted assertions feature. An attacker could forge a SAML claim that contains correct user information. When GHES processes a fake SAML claim, it will not be able to validate its signature correctly, allowing an attacker to gain access to the GHES instance.

Affected Products

The following GitHub Enterprise Server versions are affected:

Only instances using SAML single sign-on (SSO) authentication are affected.

Recommendations

CERT-EU strongly recommends updating as soon as possible.

References

[1] https://www.bleepingcomputer.com/news/security/github-warns-of-saml-auth-bypass-flaw-in-enterprise-server/

[2] https://github.com/absholi7ly/Bypass-authentication-GitHub-Enterprise-Server

", "licence": { "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)", "link": "https://creativecommons.org/licenses/by/4.0/", "restrictions": "https://cert.europa.eu/legal-notice", "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies" } }