• +33 877 554 332
  • info@website.com
PHL Tech Magazine

Post: Critical GitHub Enterprise Server Authentication Bypass bug. Fix it now!

coder_prem

coder_prem

Hi, I'm Prem. I'm professional WordPress Web Developer. I developed this website. And writing articles about Finance, Startup, Business, Marketing and Tech is my hobby.
Hope you will always get informative articles which will help you to startup your business.
If you need any kind of wordpress website then feel free to contact me at webexpertprem@gmail.com

Categories

Recent Posts


Critical GitHub Enterprise Server Authentication Bypass bug. Fix it now!

GitHub addressed a vulnerability in the GitHub Enterprise Server (GHES) that could allow an attacker to bypass authentication.

GitHub has rolled out security fixes to address a critical authentication bypass issue, tracked as CVE-2024-4985 (CVSS score: 10.0), in the GitHub Enterprise Server (GHES).

GitHub Enterprise Server (GHES) is a self-hosted version of GitHub designed for use within organizations. It provides the full capabilities of GitHub, including source code management, version control, collaboration tools, and continuous integration and delivery (CI/CD), but allows organizations to host the platform on their own infrastructure. This setup is ideal for companies that require more control over their data, enhanced security, and customization to meet internal compliance and regulatory requirements.

The authentication bypass vulnerability impacts GHES when using SAML single sign-on with encrypted assertions. An attacker can trigger the issue to forge SAML responses, granting them site administrator privileges without prior authentication.

“On instances that use SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, an attacker could forge a SAML response to provision and/or gain access to a user with administrator privileges.” reads the advisory published by the company. “Please note that encrypted assertions are not enabled by default. Instances not utilizing SAML SSO or utilizing SAML SSO authentication without encrypted assertions are not impacted. Exploitation of this vulnerability would allow unauthorized access to the instance without requiring prior authentication.”

The company pointed out that encrypted assertions are not enabled by default and that the vulnerability only affects installs using SAML single sign-on (SSO) or those that use SAML SSO authentication with encrypted assertions. Encrypted assertions are a security measure that allows encrypting the messages that the SAML identity provider (IdP) sends SAML SSO.

The vulnerability affected all GHES versions before 3.13.0 and was addressed with the release of versions 3.9.15, 3.10.12, 3.11.10, and 3.12.4. The issue was reported through the GitHub Bug Bounty program.

Lora Helmin

Lora Helmin

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Popular Posts

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

Tench Coxe Is Now an Nvidia Billionaire, Like Jensen Huang
Entrepreneurship
Ryan January 2, 2025

Tench Coxe Is Now an Nvidia…

Why I Wouldn’t Start Affiliate Marketing in 2025 (And What I’d Do Instead)
Marketing
Ryan January 2, 2025

Why I Wouldn’t Start Affiliate Marketing…

Playtime’s Unique Features That Other Apps Can’t Beat
Entrepreneurship
Ryan January 2, 2025

Playtime’s Unique Features That Other Apps…

PHL Tech Magazine

“PHL TECH Magazine is your go-to online destination for all things tech. Stay updated with the latest news, trends, and innovations in the world of technology. Explore in-depth articles, interviews, and reviews that delve into the exciting realm of gadgets, software, startups, and more. Join our vibrant community and immerse yourself in the ever-evolving world of tech with PHL TECH Magazine.”

About PHL TECH MAGAZINE

Your one-stop source for startup, business, finance, and tech news. Stay informed with our timely articles on innovation, entrepreneurship, and the latest industry trends.

Recent Posts

Get interesting news

Subscribe to our newsletter and we’ll send you the emails of latest posts.

2023 PHL TECH MAGAZINE. All rights reserved. Designed with CoderPrem.