GitHub fixes critical Enterprise Server bug granting admin privileges

Microsoft-owned source code management platform, GitHub, has rolled out fixes for three vulnerabilities affecting its Enterprise Server product, including a critical one allowing site administrator privileges to an attacker.

Reported via the GitHub Bug Bounty Program, the critical vulnerability tracked as CVE-2024-6800 has received a CVSS rating of 9.5 out of 10.

“On GitHub Enterprise Server instances that use SAML single sign-on (SSO) authentication with specific IdPs utilizing publicly exposed signed federation metadata XML, an attacker could forge a SAML response to provision and/or gain access to a user account with site administrator privileges,” the version control platform said in an advisory.

The vulnerability has been fixed in the 3.13.3, 3.12.8, 3.11.14, and 3.10.16 releases of the GitHub Enterprise Server product.

Exposed federation Metadata

According to the advisory, the GitHub Enterprise Server instances, a self-hosted version of GitHub that allows organizations to manage their own GitHub instance on their own infrastructure, that use security assertion markup language (SAML) single-sign-on authentication suffers this flaw.

The SAML authentication service, which is used between an identity provider (IdP) and a service provider (in this case, GitHub Enterprise Server), uses an XML file that contains important information about an IdP’s configuration, and public keys used for verifying SAML responses.

CVE-2024-6800 stems from the publicly exposed signed XML files used by some IdPs that allow attackers to read the metadata within, including details such as endpoints for SAML assertions and public keys. This can enable an attacker to forge a SAML authentication response, provisioning the creation of new accounts, or gain access to an existing one.

The flaw is critical enough to allow attackers to gain administrator privileges on a compromised machine, exposing the organization’s private GitHub repositories to exploitation.

Affected versions include GitHub Enterprise Server 3.13.0 to 3.13.2, 3.10.0 to 3.10.15, 3.11.0 to 3.11.13, and 3.12.0 to 3.12.7.

Fixed two moderately rated bugs

One of the other vulnerabilities fixed with the patch is CVE-2024-7711, which received a “medium” severity rating at a 5.3 CVSS score. The vulnerability is an incorrect authorization vulnerability allowing an attacker to update the title, assignees, and labels of any issue inside a public repository, according to GitHub.

CVE-2024-6337, the third vulnerability addressed in the releases, is another incorrect authorization vulnerability that can allow an attacker to disclose the issue contents from a private repository using a GitHub App with only contents: read and pull requests: write permissions.

“This (CVE-2024-6337) was only exploitable via user access token, and installation access tokens were not impacted,” GitHub added. The vulnerability received a CVSS rating of 5.9. This is the second time in three months that GitHub has been hit with a critical SAML authentication request forgery bug. In May, the GitHub Enterprise Server was affected by a critical 10-out-of-10 CVSS scorer that exposed GitHub enterprise customers to attackers getting admin privileges to business accounts.