No Comments

GitHub Fixes Critical Security Vulnerability

 

GitHub has rolled out updates to resolve three security vulnerabilities affecting its Enterprise Server product, including a critical flaw that could be exploited to obtain site administrator privileges.

The most severe issue, identified as CVE-2024-6800, has been rated with a CVSS score of 9.5.

According to GitHub‘s advisory, “On instances of GitHub Enterprise Server utilizing SAML single sign-on (SSO) authentication with specific identity providers (IdPs) that expose signed federation metadata XML publicly, an attacker could craft a SAML response to either provision or gain access to a user account with site administrator privileges.”

Additionally, the Microsoft-owned company has fixed two medium-severity vulnerabilities:

  • CVE-2024-7711 (CVSS score: 5.3) – An authorization flaw allowing attackers to modify the title, assignees, and labels of any issue in a public repository.
  • CVE-2024-6337 (CVSS score: 5.9) – An authorization issue that could allow attackers to access issue details from a private repository through a GitHub App with only contents: read and pull requests: write permissions.

All three flaws have been patched in GHES versions 3.13.3, 3.12.8, 3.11.14, and 3.10.16.

In May, GitHub addressed another critical vulnerability (CVE-2024-4985, CVSS score: 10.0) that allowed unauthorized access to an instance without prior authentication.

Organizations using a vulnerable self-hosted version of GHES are strongly urged to upgrade to the latest version to protect against these security risks.

 


Source: TheHackerNews

Read other news at our blog

You might also like

More Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.