GitHub Enterprise Server, the self-hosted version of the GitHub platform, was discovered to contain a vulnerability that could allow attackers to elevate their privileges to administrative rights.
The vulnerability, tracked as CVE-2024-6800 and has a severity rating of 9.5/10 (critical), is described as an XML signature wrapping issue. It occurs when the victim uses the Security Assertion Markup Language (SAML) authentication standard, with certain ID providers.
“On GitHub Enterprise Server instances using SAML single sign-on (SSO) authentication with specific IdPs using publicly accessible signed federation metadata XML, an attacker can forge a SAML response to provision and/or gain access to a user account with site administrator privileges,” GitHub said in a security advisory.
Great reward
Patches are available for multiple versions, it added. The earliest secure versions of GitHub Enterprise Server are 3.13.3, 3.12.8, 3.11.14, and 3.10.16.
Referring to data from the FOFA search engine, BleepingComputer claims that there are over 36,500 Internet-connected instances, making the attack surface relatively large. Of those servers, the majority (29,200) are located in the United States. However, it is impossible to determine how many vulnerable software versions are running. History shows that IT teams are rarely this diligent, and it will take weeks, if not months, for the majority of instances to be upgraded to the latest version.
If your organization uses GHES, you should not hesitate to update as the vulnerability allows attackers to take over vulnerable endpoints.
The new versions of the platform also address two additional vulnerabilities: CVE-2024-7711 and CVE-2024-6337. The former allows attackers to modify issues in public repositories, while the latter allows the disclosure of issue content from a private repository.
GitHub added that certain services may display errors during configuration, but the instance should still start correctly.
Via BleepingComputer