cbcvebase.
CVE-2024-9487
published 2024-10-10

CVE-2024-9487: An improper verification of cryptographic signature vulnerability was identified in GitHub Enterprise Server that allowed SAML SSO authentication to be…

PriorityP181critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
22.44%
97.4th percentile
An improper verification of cryptographic signature vulnerability was identified in GitHub Enterprise Server that allowed SAML SSO authentication to be bypassed resulting in unauthorized provisioning of users and access to the instance. Exploitation required the encrypted assertions feature to be enabled, and the attacker would require direct network access as well as a signed SAML response or metadata document. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.15 and was fixed in versions 3.11.16, 3.12.10, 3.13.5, and 3.14.2. This vulnerability was reported via the GitHub Bug Bounty program.

Affected

8 ranges
VendorProductVersion rangeFixed in
githubenterprise_server< 3.11.163.11.16
githubenterprise_server3.11.0 – 3.11.15
githubenterprise_server>= 3.12.0 < 3.12.103.12.10
githubenterprise_server3.12.0 – 3.12.9
githubenterprise_server>= 3.13.0 < 3.13.53.13.5
githubenterprise_server3.13.0 – 3.13.4
githubenterprise_server>= 3.14.0 < 3.14.23.14.2
githubenterprise_server3.14.0 – 3.14.1

Detection & IOCsextracted from sources · hover to see the quote

url/saml/consume
cookiesaml_csrf_token=
path/saml/metadata
otherdotcom_user (response cookie indicating successful authentication bypass)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Github Enterprise SAML Authentication Bypass (CVE-2024-9487)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/saml/consume"; fast_pattern; http.cookie; content:"saml_csrf_token|3d|"; http.request_body; content:"SAMLResponse|3d|"; base64_decode:offset 0, relative; base64_data; content:"|3c|saml2p|3a|Response|20|"; startswith; content:"|3c 2f|ds|3a|KeyInfo|3e 3c|ds|3a|Object"; distance:0; content:"|3c|samlp|3a|Response|20|"; distance:0; content:"|3c|saml2|3a|Assertion"; distance:0; content:"|3c|saml2|3a|EncryptedAssertion"; reference:url,projectdiscovery.io/blog/github-enterprise-saml-authentication-bypass; reference:cve,2024-9487; classtype:web-application-attack; sid:2061124; rev:1; metadata:affected_product Github_Enterprise, attack_target Server, tls_state TLSDecrypt, created_at 2025_03_27, cve CVE_2024_9487, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, updated_at 2025_03_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|3c|saml2p|3a|Response|20| ... |3c 2f|ds|3a|KeyInfo|3e 3c|ds|3a|Object ... |3c|samlp|3a|Response|20| ... |3c|saml2|3a|Assertion ... |3c|saml2|3a|EncryptedAssertion
  • Exploit traffic is a POST to /saml/consume with both saml_csrf_token cookie set and a SAMLResponse body parameter containing a crafted SAML payload with a ds:Object node injected inside ds:Signature/ds:KeyInfo — a structural anomaly not present in legitimate SAML flows.
  • The exploit embeds a full samlp:Response node as a child of ds:Object inside the ds:Signature block, alongside a separate saml2:EncryptedAssertion — detect the co-presence of both <ds:Object> containing a nested Response and a top-level EncryptedAssertion in the same SAML document.
  • The exploit prepends a padding string 'padinggggggggggg' before the assertion XML prior to AES-CBC encryption — this padding artifact may be detectable in decrypted assertion content if TLS inspection is available.
  • Exploitation requires the encrypted assertions feature to be enabled on the GHES instance; scope detection efforts to instances with this feature active.
  • Shodan query 'title:"GitHub Enterprise"' can be used to identify exposed GHES instances for asset inventory and attack surface monitoring.
  • ·Exploitation is only possible when the 'encrypted assertions' feature is enabled on the GitHub Enterprise Server instance; instances without this feature enabled are not vulnerable.
  • ·The attacker must possess a valid signed SAML response or metadata document from the IdP — this is not a zero-knowledge attack; some level of prior access to IdP-signed material is required.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv4.09.5CRITICALCVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:C/RE:M/U:Red
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.