GitHub has unleashed security patches for Corporate Server (GHES) to tackle several issues, including a critical flaw that might allow unauthorized entry to an instance.
The vulnerability, identified as CVE-2024-9487, carries a CVS rating of 9.5 out of a maximum of 10.0
“A threat actor could circumvent SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, enabling unauthorized allocation of users and access to the instance, by leveraging an inappropriate verification of cryptographic signatures vulnerability in GitHub Corporate Server,” GitHub stated in an alert.
The Microsoft-owned organization defined the flaw as a regression that was introduced as part of subsequent remediation after CVE-2024-4985 (CVSS rating: 10.0), a maximum severity weakness that was fixed back in May 2024.
Also addressed by GitHub are two other deficiencies –
- CVE-2024-9539 (CVSS rating: 5.7) – An information revelation vulnerability that could empower an attacker to obtain metadata linked to a target user upon interacting with malicious URLs for SVG assets
- An exposure of sensitive data in HTML forms in the management console (no CVE)
All three security vulnerabilities have been resolved in Corporate Server versions 3.14.2, 3.13.5, 3.12.10, and 3.11.16.
Previously in August, GitHub also repaired a critical security flaw (CVE-2024-6800, CVSS score: 9.5) that could be exploited to acquire site administrator privileges.
Businesses operating a vulnerable self-hosted version of GHES are strongly recommended to upgrade to the latest version to shield against possible security risks.
About Author
