GitHub, the renowned platform for software development, recently addressed a critical flaw in the GitHub Enterprise Server (GHES) that could potentially allow an attacker to bypass authentication protections. This vulnerability, tracked as CVE-2024-4985, carries a maximum severity rating with a Common Vulnerability Scoring System (CVSS) score of 10.0.
The flaw could permit unauthorized access to a GHES instance without requiring prior authentication. Specifically, on instances that use SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, an attacker could forge a SAML response to provision and/or gain access to a user with administrator privileges.
The issue impacts all versions of GHES prior to 3.13.0. However, GitHub has promptly addressed the flaw in the following versions: 3.9.15, 3.10.12, 3.11.10, and 3.12.4.
GitHub further noted that encrypted assertions are not enabled by default. Therefore, the flaw does not affect instances that do not utilize SAML single sign-on (SSO) or those that use SAML SSO authentication without encrypted assertions. Encrypted assertions allow site administrators to improve a GHES instance’s security with SAML SSO by encrypting the messages that the SAML identity provider (IdP) sends during the authentication process.
This incident underscores the importance of robust security measures in software development platforms. It also highlights the need for regular updates and patches to ensure the security of these platforms against potential threats. As the digital landscape continues to evolve, so too must the security measures that protect it.
You may also like:- [9 Useful Tips] How to Create a Successful Website
- Microsoft’s AI Recall Feature Postponed Over Security Concerns
- Life360 Discloses Data Breach – Personal Information Stolen From Tile Customer Support Platform
- Hackers Target Snowflake in Newly Discovered Cloud Attacks
- Fired Worker Kandula Nagaraju Deletes Company Data, Leading to S$918,000 Damages
- Chinese Hackers Breached 20,000 FortiGate Systems Worldwide
- Top 100 Vulnerabilities in Cybersecurity
- Top 10 Key Elements of a Successful Website
- [Top 10 Tips] How to Know When It’s Time to Update Your Site
- Authorities Ramp Up Cybersecurity for Safe Hajj Experience
