Github has released corrections to eliminate serious vulnerability to Github Enterprise Server (Ghes), which could allow attackers to bypass authentication systems.
Vulnerability designated as cve-2024-4985 with the maximum rating of CVSS 10.0, gives unauthorizedly Users access to the system without preliminary authentication.
“On servers using SAML authentication with an optionally included function of encrypted statements, the attacker could fake SAML to receive access to an administrator’s account,” the company said.
Ghes is a software development platform that allows organizations to store and develop software using the GIT version management system and automate deployment processes.
Vulnerability affects all versions of Ghes until 3.13.0 and was eliminated in versions 3.9.15, 0.10.12, 3.11.10 and 3.12.4.
GITHUB also clarified that the function of encrypted default statements is not included, and vulnerability does not affect the systems that do not use SAML SSO authentication or use it without encrypted statements.
Highlights allow the site administrators to increase Ghes safety using SAML SSO, encrypting messages that SAML identification provider sends during authentication.
organizations using vulnerable versions of Ghes are recommended to update their systems to the latest versions to protect against potential security threats.