Full Report
GitHub security advisory (AV26-650)
Analysis Summary
# Vulnerability: GitHub Enterprise Server Multiple Security Flaws (AV26-650)
## CVE Details
- **CVE ID:** CVE-2024-4985 (Primary focus of this release cycle)
- **CVSS Score:** 10.0 (Critical)
- **CWE:** CWE-287 (Improper Authentication)
## Affected Systems
- **Products:** GitHub Enterprise Server (GHES)
- **Versions:**
- 3.21.x prior to 3.21.2
- 3.20.x prior to 3.20.4
- 3.19.x prior to 3.19.8
- 3.18.x prior to 3.18.11
- 3.17.x prior to 3.17.17
- **Configurations:** Systems utilizing SAML single sign-on (SSO) with the optional **encrypted assertions** feature enabled.
## Vulnerability Description
The vulnerability allows an attacker to bypass authentication mechanisms by forging a SAML response. In specific configurations where SAML encrypted assertions are used, GitHub Enterprise Server does not properly validate the signature of the SAML response. This flaw could allow an unauthorized actor to gain administrator access to the instance without possessing valid credentials.
## Exploitation
- **Status:** Not currently reported as exploited in the wild (as of the advisory date).
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Full access to repositories and user data)
- **Integrity:** High (Ability to modify code and settings)
- **Availability:** High (Ability to delete data or disrupt services)
## Remediation
### Patches
Update to one of the following fixed versions immediately:
- GitHub Enterprise Server **3.21.2**
- GitHub Enterprise Server **3.20.4**
- GitHub Enterprise Server **3.19.8**
- GitHub Enterprise Server **3.18.11**
- GitHub Enterprise Server **3.17.17**
**Critical Operational Note:** GitHub has transitioned to a new public key for signing future patches. To ensure continued ability to update, administrators must rotate to the new public key before subsequent releases can be applied.
### Workarounds
No official workaround is provided other than updating the software. Disabling SAML SSO or disabling encrypted assertions (if possible within your security policy) may reduce exposure, but patching is the recommended course of action.
## Detection
- **Indicators of Compromise:** Monitor audit logs for unusual login activity or unauthorized account creations, particularly those originating from SAML-linked identities with administrative privileges.
- **Detection methods and tools:** Audit internal SAML provider logs for any discrepancies between issued assertions and logins recorded on the GHES instance.
## References
- **Vendor Advisories:**
- hxxps[://]docs[.]github[.]com/en/[email protected]/admin/release-notes
- hxxps[://]docs[.]github[.]com/en/[email protected]/admin/release-notes
- hxxps[://]docs[.]github[.]com/en/[email protected]/admin/release-notes
- **Relevant Links:**
- hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/github-security-advisory-av26-650