Recently, GitHub announced the discovery of a high-risk security vulnerability in its enterprise servers, which affects all versions of GitHub Enterprise Server version and strongly recommends that all users update immediately to prevent the security vulnerability threat.
Vulnerability Details
An authentication vulnerability exists in GitHub Enterprise Server (GHES). The issue is tracked as CVE-2024-4985(CVSS Score: 10.0), which can be exploited to forge a SAML response to configure and/or access a user with site administrator privileges. This vulnerability, which affects all versions of GitHub Enterprise Server prior to 3.13.0 and is fixed in versions 3.9.15, 3.10.12, 3.11.10, and 3.12.4, can be exploited to gain unauthorized access to an instance without prior authentication. The vulnerability is exploited via the GitHub Bug Bounty Program Report.
affected version
The following versions of GitHub Enterprise Server are affected:
Versions 3.0 through 3.9 The presence of high-risk vulnerabilities may expose an organization's codebase, sensitive data, and deployment environments to serious security risks.
Vulnerability verification:
Open the penetration testing tool (eg:burpsuite).
Creates a network connection request.
Select the "GET" request type.
Enter the GHES URL.
Add a fake SAML assertion parameter to the request. You can find an example of a fake SAML assertion parameter in the GitHub documentation.
Check GHES response.
If the HTTP status code in the response is 200, authentication has been successfully bypassed using a forged SAML assertion parameter.
If the response contains a different HTTP status code, authentication was not successfully bypassed.
https://your-ghes-instance.com jdoe urn:oasis:names:tc:SAML:2.0:methodName:password </AuthnStatement Acme Corporation jdoe@acme.com </AttributeStatement
GitHub Official:
GitHub has released an emergency security patch to fix this vulnerability. The company strongly recommends that all users with affected versions upgrade to the latest version as soon as possible to ensure security. Specific update steps and patch downloads can be found on the Security Bulletin page of the official GitHub website.
security upgrade
To protect your system from potential attacks, the following steps are recommended: Update the GitHub Enterprise Server to the latest version.
https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.12
https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.10
https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.4
https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.15
If an update is not immediately available, consider disabling the SAML authentication or cryptographic assertion feature as a temporary mitigation.
refer to:
https://github.com/absholi7ly/Bypass-authentication-GitHub-Enterprise-Server
https://nvd.nist.gov/vuln/detail/CVE-2024-4985
Original article by Chief Security Officer, if reproduced, please credit https://cncso.com/en/critical-github-enterprise-server-flaw-allows-authentication-bypass-html
