Recently, security researchers disclosed a critical vulnerability (CVE-2024-4985, cvss score: 10.0) in the GitHub Enterprise Server (GHES) that allows an unauthorized attacker to access GHES instances without pre-authentication. A fix has been rolled out by GitHub, and no large-scale exploitation of the vulnerability has been found, so users can update GHES to a patched version (3.9.15, 3.10.12, 3.11.10, 3.12.4 or later). If an immediate update is not possible, consider temporarily disabling SAML authentication or cryptographic assertion features as a temporary mitigation.
Reference: https://cncso.com/critical-github-enterprise-server-flaw-allows-authentication-bypass.html
