A critical bug in GitHub Enterprise Server could allow an attacker to gain unauthorized access to a user account with administrator privileges and then wreak havoc on an organization's code repositories.
The good news is that there's a fix. The Microsoft-owned code hosting service addressed the 9.5 CVSS-rated flaw tracked as CVE-2024-6800 in GitHub Enterprise Server (GHES) versions 3.13.3, 3.10.16, 3.11.14, and 3.12.8.
Orgs running a vulnerable instance of GitHub Enterprise Server (GHES), GitHub's self-hosted version, will likely do well to download the update ASAP as miscreants are likely already scanning for this CVE.
Affected versions of GHES include 3.13.0 to 3.13.2, 3.10.0 to 3.10.15, 3.11.0 to 3.11.13 and 3.12.0 to 3.12.7.
As GitHub explained in the release notes we’ve linked to above, the critical flaw affected GHES instances that use Security Assertion Markup Language (SAML) for single sign-on authentication. The SAML authentication allows specific identity providers (IdPs) that use publicly exposed and signed federation metadata XML. This could allow an attacker to forge a SAML response to gain administrator privileges on a compromised machine, thus giving an unauthorized party access to your organization's GitHub-hosted repos.
This vulnerability, along with two others addressed in version 3.13.3, were reported via the GitHub Bug Bounty program.
The other two now-fixed flaws are both rated medium-severity.
CVE-2024-7711 could allow an attacker to update the title, assignees and labels of any issue inside a public repository — public being the key word here. Private and internal repositories are not affected by this bug, which earned a 5.3 CVSS rating.
CVE-2024-6337 is a 5.9-rated vulnerability that could allow an attacker to disclose the issue contents from a private repository using a GitHub App with only 'content: read' and 'pull_request_write: write' permissions.
This one can only be exploited with a user-access token, we're told. Installation access tokens are not affected.
- GitHub rolls back database change after breaking itself
- Who needs GitHub Copilot when you can roll your own AI code assistant at home
- 110K domains targeted in 'sophisticated' AWS cloud extortion campaign
- Multiple flaws in Microsoft macOS apps unpatched despite potential risks
It's been a rocky couple of weeks for the collaborative coding colossus.
This security update comes about a week after GitHub broke itself after rolling out an "erroneous" configuration change to all GitHub.com databases. This caused a global outage to several of its services, along with GitHub.com and the GitHub API.
Also last week, Palo Alto’s Unit 42 threat intelligence team found that a bad combination of misconfigurations and security flaws can make GitHub Actions artifacts leak both GitHub and third-party cloud services tokens. ®