Cybersecurity

GitHub patches critical vulnerability in its Enterprise Servers

The “severe” flaw could allow attackers full access to instances.

October 16, 2024

Listen to this article

0:00

This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.

PARIS, FRANCE - JUNE 04: In this photo illustration the GitHub logo is seen on the screen of an iPhone in front of a computer screen showing a Microsoft logo on June 04, 2018 in Paris, France. (Photo Illustration by Chesnot/Getty Images)

GitHub’s latest Enterprise Server update fixes a critical vulnerability that allows authentication bypass for on-premise deployments, according to the company.

The bug — CVE-2024-9487 — impacts GitHub’s enterprise product and does not affect its software-as-a-service products, according to the company’s release. The Microsoft-owned company said the bug, which is a 9.5 on the CVSS scale, would allow hackers to bypass a method typically used by companies to verify employee identities using single sign-on called Security Assertion Markup Language (SAML).

Chris Hatter, chief technology officer of the application security company Qwiet.Ai, called the vulnerability “severe” and said that organizations should ensure they understand their relevant network architectures.

Hatter said companies should block any “routes to this access” and ensure that they have “telemetry to be able to understand who is accessing these resources by whom and from where.”

Hatter said a typical attack would likely require a malicious actor to already have access to internal networks in order to use the vulnerability. He cautioned that some organizations might publish Enterprise Servers to the open internet, but it would be unusual.

The bug forges the authentication request that identity providers use to verify a person is signing onto an approved service. Most people have multiple identities for work — a recent report from Push Security noted that companies have on average 15 identities per employee — and SAML SSOs help organizations manage authorization and access.

Hatter said GitHub Enterprise Servers could be a “treasure trove of information” for hackers. Accessed instances could include “source code, architectural documents, information about developers,” which could be useful for espionage, social engineering attacks, and IP theft, among other acts.

“If you have access to the source code and you have administrative privileges into the source code management systems, theoretically you could start to manipulate that source code and implement a back door,” Hatter said.

GitHub’s latest update fixes a regression of CVE-2024-4985, a vulnerability with a 10.0 CVSS score that was first patched by GitHub in May.

The Oct. 6 update had two other security fixes: a bug in SVG assets that allows for possible metadata retrieval — CVE-2024-9539 — and a functionality from the management console that could allow sensitive data exposure in HTML forms was removed.