CVE-2024-4985
published 2024-05-20CVE-2024-4985: An authentication bypass vulnerability was present in the GitHub Enterprise Server (GHES) when utilizing SAML single sign-on authentication with the optional…
PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.57%
83.2th percentile
An authentication bypass vulnerability was present in the GitHub Enterprise Server (GHES) when utilizing SAML single sign-on authentication with the optional encrypted assertions feature. This vulnerability allowed an attacker to forge a SAML response to provision and/or gain access to a user with site administrator privileges. Exploitation of this vulnerability would allow unauthorized access to the instance without requiring prior authentication. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.13.0 and was fixed in versions 3.9.15, 3.10.12, 3.11.10 and 3.12.4. This vulnerability was reported via the GitHub Bug Bounty program.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github | enterprise_server | < 3.9.15 | 3.9.15 |
| github | enterprise_server | >= 3.10.0 < 3.10.12 | 3.10.12 |
| github | enterprise_server | 3.10.0 – 3.10.11 | — |
| github | enterprise_server | >= 3.11.0 < 3.11.10 | 3.11.10 |
| github | enterprise_server | 3.11.0 – 3.11.9 | — |
| github | enterprise_server | >= 3.12.0 < 3.12.4 | 3.12.4 |
| github | enterprise_server | 3.12.0 – 3.12.3 | — |
| github | enterprise_server | 3.9.0 – 3.9.14 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Target instances must have SAML SSO with encrypted assertions enabled — this optional feature is NOT the default; detections should focus on GHES deployments where encrypted assertions have been explicitly configured ↗
- →Exploitation produces a forged SAML response that provisions or grants access to a site administrator account — hunt for unexpected site administrator account creation or privilege escalation events in GHES audit logs, especially those correlated with SAML authentication events and no prior authenticated session ↗
- →Audit log anomaly: all client IPs may appear as 127.0.0.1 when X-Forwarded-For is used behind a load balancer — correlate SAML authentication events carefully with true source IPs via upstream load balancer logs rather than relying solely on GHES audit logs ↗
- ·Vulnerability only affects GHES instances where SAML SSO with encrypted assertions is explicitly enabled; instances using SAML SSO without encrypted assertions, or not using SAML at all, are NOT affected ↗
- ·All GHES versions prior to 3.13.0 are vulnerable; fixed versions are 3.9.15, 3.10.12, 3.11.10, and 3.12.4 — verify the exact installed version before concluding exposure ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:C/RE:M/U:Red
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
https://docs.github.com/en/[email protected]/admin/release-notes#3.10.12https://docs.github.com/en/[email protected]/admin/release-notes#3.11.10https://docs.github.com/en/[email protected]/admin/release-notes#3.12.4https://docs.github.com/en/[email protected]/admin/release-notes#3.9.15https://docs.github.com/en/[email protected]/admin/release-notes#3.10.12https://docs.github.com/en/[email protected]/admin/release-notes#3.11.10https://docs.github.com/en/[email protected]/admin/release-notes#3.12.4https://docs.github.com/en/[email protected]/admin/release-notes#3.9.15
2024-05-20
Published