Three security flaws that were impacting the Enterprise Server product from GitHub have been resolved, one of which is a serious issue that may be exploited to get site administrator privileges.
Three security vulnerabilities affecting GitHub’s Enterprise Server product have been fixed, one of which is a significant problem that may be used to obtain site administrator rights. With a CVSS score of 9.5, the most serious of the flaws has been given the CVE designation CVE-2024-6800. “On GitHub Enterprise Server instances that use SAML single sign-on (SSO) authentication with specific IdPs utilizing publicly exposed signed federation metadata XML, an attacker could forge a SAML response to provision and/or gain access to a user account with site administrator privileges,” an advisory from GitHub stated.
Additionally, the Microsoft-owned company fixed two medium-severity bugs: An erroneous permission vulnerability, identified as CVE-2024-7711 (CVSS score: 5.3), might provide an attacker access to change the labels, assignees, and title of any issue within a public repository. An attacker may be able to obtain issue contents from a private repository using a GitHub app with only the following contents: read and pull requests: Write permissions thanks to CVE-2024-6337 (CVSS score: 5.9), an improper authorization vulnerability. The security flaws in GHES versions 3.13.3, 3.12.8, 3.11.14, and 3.10.16 have all been fixed.
A critical security vulnerability (CVE-2024-4985, CVSS score: 10.0) that could allow unwanted access to an instance without previous authentication was also addressed by GitHub back in May. It is strongly recommended that organizations that are using an outdated, self-hosted version of GHES switch to the most recent version in order to protect themselves from any security risks.
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.
