cbcvebase.
CVE-2024-6800
published 2024-08-20

CVE-2024-6800: An XML signature wrapping vulnerability was present in GitHub Enterprise Server (GHES) when using SAML authentication with specific identity providers…

PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.53%
71.5th percentile
An XML signature wrapping vulnerability was present in GitHub Enterprise Server (GHES) when using SAML authentication with specific identity providers utilizing publicly exposed signed federation metadata XML. This vulnerability allowed an attacker with direct network access to GitHub Enterprise Server to forge a SAML response to provision and/or gain access to a user with site administrator privileges. Exploitation of this vulnerability would allow unauthorized access to the instance without requiring prior authentication. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.3, 3.12.8, 3.11.14, and 3.10.16. This vulnerability was reported via the GitHub Bug Bounty program.

Affected

8 ranges
VendorProductVersion rangeFixed in
githubenterprise_server>= 3.10.0 < 3.10.163.10.16
githubenterprise_server>= 3.11.0 < 3.11.143.11.14
githubenterprise_server>= 3.12.0 < 3.12.83.12.8
githubenterprise_server>= 3.13.0 < 3.13.33.13.3
githubgithub_enterprise_server3.10.0 – 3.10.15
githubgithub_enterprise_server3.11.0 – 3.11.13
githubgithub_enterprise_server3.12.0 – 3.12.7
githubgithub_enterprise_server3.13.0 – 3.13.2

Detection & IOCsextracted from sources · hover to see the quote

  • Detect forged SAML responses targeting GHES — monitor for SAML assertions granting site administrator privileges from unexpected or external identity providers
  • Flag SAML authentication events that succeed without prior authentication state or session, particularly those resulting in new site administrator account provisioning
  • Monitor GHES instances for XML signature wrapping patterns in SAML POST bindings — look for SAML responses containing multiple Assertion or Signature elements, a classic XSW indicator
  • Audit GHES instances exposed on the public internet running versions prior to 3.13.3, 3.12.8, 3.11.14, or 3.10.16 as all prior versions are vulnerable
  • Use FOFA or similar asset discovery to identify internet-exposed GHES instances (36,500+ identified publicly); prioritize those in the US (29,200) for patch verification
  • ·Vulnerability is only exploitable when SAML authentication is enabled AND the identity provider uses publicly exposed signed federation metadata XML — instances not using SAML or using private/unexposed federation metadata are not affected by this specific attack vector
  • ·Exploitation requires direct network access to the GHES instance — purely air-gapped or strictly firewalled instances with no attacker-reachable network path are at reduced risk
  • ·After applying the security update, some services may show configuration errors but the instance should still start correctly — admins should review the 'Known issues' section before patching

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.5CRITICALCVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:C/RE:H/U:Red
cisa7.2HIGH
vendor_cisco7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.