GitHub has fixed a maximum severity (CVSS v4 score: 10.0) authentication bypass vulnerability tracked as CVE-2024-4986, which impacts GitHub Enterprise Server (GHES) instances using SAML single sign-on (SSO) authentication.
Exploiting the flaw would allow a threat actor to forge a SAML response and gain administrator privileges, providing unrestricted access to all of the instance’s contents without requiring any authentication.
GHES is a self-hosted version of GitHub designed for organizations that prefer to store repositories on their own servers or private cloud environments.
It caters to the needs of large enterprises or development teams that require greater control over their assets, entities handling sensitive or proprietary data, organizations with high-performance needs, and users requiring offline access capabilities.
The flaw, which was submitted to GitHub’s Bug Bounty program, only impacts instances utilizing Security Assertion Markup Language (SAML) SSO with encrypted assertions. This optional feature protects data against interception (man-in-the-middle attacks).
“On instances that use SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, an attacker could forge a SAML response to provision and/or gain access to a user with administrator privileges.” – GitHub.
Due to encrypted assertions not being the default setting on GHES, CVE-2024-4986 only impacts instances whose administrators have enabled the security feature.
The vulnerability has been fixed in GHEL versions 3.12.4, 3.11.10, 3.10.12, and 3.9.15, all released yesterday, on May 20.
Known issues with the update include:
- Custom firewall rules are wiped.
- “No such object” error during configuration validation for Notebook and Viewscreen services. (can be ignored)
- Management Console root admin account does not unlock automatically after lockout. (requires SSH access to unlock)
- TLS-enabled log forwarding fails as CA bundles uploaded using ghe-ssl-ca-certificate-install are not respected.
- The mbind: Operation not permitted error in MySQL logs can be ignored.
- AWS instances may lose system time synchronization after a reboot.
- All client IPs appear as 127.0.0.1 in audit logs when using the X-Forwarded-For header behind a load balancer.
- Large .adoc files may not render in the web UI but are available as plaintext.
- Backup restoration with ghe-restore may fail if Redis hasn’t restarted properly.
- Repositories imported using ghe-migrator do not track Advanced Security contributions correctly.
- GitHub Actions workflows for GitHub Pages may fail; fix requires specific SSH commands. (fix provided in the bulletin)
Despite those issues, those using the vulnerable configuration (SAML SSO + encrypted assertions) should immediately move to a safe GHEL version.