GitHub has launched fixes to deal with a set of three safety flaws impacting its Enterprise Server product, together with one crucial bug that could possibly be abused to realize website administrator privileges.
Probably the most extreme of the shortcomings has been assigned the CVE identifier CVE-2024-6800, and carries a CVSS rating of 9.5.
“On GitHub Enterprise Server situations that use SAML single sign-on (SSO) authentication with particular IdPs using publicly uncovered signed federation metadata XML, an attacker might forge a SAML response to provision and/or achieve entry to a consumer account with website administrator privileges,” GitHub stated in an advisory.
The Microsoft-owned subsidiary has additionally addressed a pair of medium-severity flaws –
- CVE-2024-7711 (CVSS rating: 5.3) – An incorrect authorization vulnerability that might enable an attacker to replace the title, assignees, and labels of any problem inside a public repository.
- CVE-2024-6337 (CVSS rating: 5.9) – An incorrect authorization vulnerability that might enable an attacker to entry problem contents from a personal repository utilizing a GitHub App with solely contents: learn and pull requests: write permissions.
All three safety vulnerabilities have been addressed in GHES variations 3.13.3, 3.12.8, 3.11.14, and three.10.16.
Again in Could, GitHub additionally patched a crucial safety vulnerability (CVE-2024-4985, CVSS rating: 10.0) that might allow unauthorized entry to an occasion with out requiring prior authentication.
Organizations which might be working a susceptible self-hosted model of GHES are extremely suggested to replace to the newest model to safeguard towards potential safety threats.