GitHub Fixes Critical Vulnerability in Enterprise Server Allowing Unauthorized Access to Instances

16.10.2024

GitHub has released critical security updates for its Enterprise Server (GHES), addressing multiple vulnerabilities, including one that could allow unauthorized access to an instance. The most severe flaw, tracked as **CVE-2024-9487**, carries a CVSS score of 9.5 out of 10, indicating its high impact on affected systems.

According to GitHub, the vulnerability could let attackers bypass **SAML single sign-on (SSO)** authentication when using the optional encrypted assertions feature. This bypass occurs due to improper verification of cryptographic signatures, enabling unauthorized user provisioning and access to the instance. The flaw was described as a regression introduced while remediating a previous issue, **CVE-2024-4985**, which had a maximum severity rating of 10.0 and was patched in May 2024.

In addition to **CVE-2024-9487**, two other vulnerabilities were also fixed. **CVE-2024-9539** (CVSS score: 5.7) is an information disclosure flaw that could allow an attacker to retrieve a user’s metadata by tricking them into clicking on malicious SVG asset URLs. A separate issue related to sensitive data exposure in HTML forms in the management console, though not assigned a CVE, was also patched.

All three of these vulnerabilities have been addressed in **GHES versions 3.14.2, 3.13.5, 3.12.10**, and **3.11.16**. GitHub has urged users to update their systems immediately to protect against these risks.

Earlier in August, GitHub also fixed a critical security vulnerability, **CVE-2024-6800** (CVSS score: 9.5), which could have allowed attackers to escalate their privileges to site administrator level. Organizations using vulnerable self-hosted GHES versions are strongly recommended to apply these updates promptly.