GitHub Enterprise Server has a critical security flaw, so patch now

GitHub Enterprise Server, the self-hosted version of the GitHub platform, was found carrying a vulnerability that allowed malicious actors to elevate their privileges to admin.

The vulnerability, tracked as CVE-2024-6800, and has a severity rating of 9.5/10 (critical), is described as an XML signature wrapping issue. It happens when the victim uses the Security Assertion Markup Language (SAML) authentication standard, with certain ID providers.

“On GitHub Enterprise Server instances that use SAML single sign-on (SSO) authentication with specific IdPs utilizing publicly exposed signed federation metadata XML, an attacker could forge a SAML response to provision and/or gain access to a user account with site administrator privileges,” GitHub said in a security advisory.

Big bounty

Patches are available for multiple versions, it was added. The earliest secure versions of GitHub Enterprise Server are 3.13.3, 3.12.8, 3.11.14, and 3.10.16.

Citing data from the FOFA search engine, BleepingComputer claims that there are more than 36,500 internet-connected instances, making the attack surface relatively large. Of those servers, the majority (29,200) is sitting in the United States. However, it is impossible to determine how many are running vulnerable software versions. History teaches us that IT teams are rarely that diligent, and that it will take weeks, if not months, for the majority of instances to upgrade to the latest version.

Still, if your organization is running GHES, don’t hesitate with the update, since the flaw allows threat actors to take over vulnerable endpoints.

The new versions of the platform also fix two additional vulnerabilities: CVE-2024-7711, and CVE-2024-6337. The former allows attackers to modify issues on public repositories, while the latter allows publicly disclosing issue content from a private repository.

GitHub added that certain services might display error messages during configuration, but the instance should still start properly.

Via BleepingComputer

More from TechRadar Pro

https://cdn.mos.cms.futurecdn.net/2viAsX89eJReYQEQ3i3SwH-1200-80.jpg

Source link

Castlery promo codes for October 2024

Apple’s Intelligence’s free ChatGPT upgrade may come sooner than expected with a Visual Intelligence bonus

DeleteMe coupon codes for October 2024 |

Cricut promo codes for October 2024

What UK political parties are promising in the 2019 general election

Otto Warmbier’s parents want North Korea to suffer for their son’s death

Could a ‘youthquake’ cause Boris Johnson to lose the general election?

People are driving through flames to escape this California wildfire

New ‘Westworld’ trailer introduces us to another dystopian tech company

What’s the point of ‘Charlie’s Angels’ without Sam Rockwell dancing?

These striking photos capture the future of human flight

‘Heathers’ is still the best dark comedy about high school hell

Trump vs. Harris: How the election will affect EV adoption

Lumwana’s Super Pit Expansion Officially Launched By Investing.com

How Biden could use a 1947 law to suspend the dockworkers’ strike

Why your Roth IRA conversions could have ‘unintended’ tax consequences

The YouTuber who has become one of Gen Z’s most beloved celebrities

26 last-minute holiday gifts that are still thoughtful and unique

Practicing gratitude regularly can make you less stressed and sleep better

8 things millennials wish you would just stop getting them for the holidays

GitHub Enterprise Server has a critical security flaw, so patch now

Castlery promo codes for October 2024

Apple’s Intelligence’s free ChatGPT upgrade may come sooner than expected with a Visual Intelligence bonus

DeleteMe coupon codes for October 2024 |

Cricut promo codes for October 2024