An authentication bypass vulnerability was present in the GitHub Enterprise Server (GHES) when utilizing SAML single sign-on authentication with the optional encrypted assertions feature. This vulnerability allowed an attacker to forge a SAML response to provision and/or gain access to a user with site administrator privileges. Exploitation of this vulnerability would allow unauthorized access to the instance without requiring prior authentication. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.13.0 and was fixed in versions 3.9.15, 3.10.12, 3.11.10 and 3.12.4. This vulnerability was reported via the GitHub Bug Bounty program.
The vulnerability results from improper implementation of SAML verification mechanism (CWE-303 — incorrect implementation of authentication algorithm) in the optional SAML SSO encrypted assertions feature. An attacker can craft (forge) a SAML response that will be accepted by the server as valid. Based on such a response, the system creates or grants access to a user account with site administrator privileges for the entire instance. The attack is possible remotely, without requiring any credentials.
An attacker can gain full administrative access to a GitHub Enterprise Server instance without authentication, which in practice means unlimited control over repositories, users, data, and system configuration.
Update GitHub Enterprise Server to version 3.9.15, 3.10.12, 3.11.10, or 3.12.4 (depending on the branch in use). As an immediate remedial measure, consider disabling the optional SAML encrypted assertions feature until the patch is deployed.
All versions of GitHub Enterprise Server earlier than 3.13.0 using SAML SSO with encrypted assertions feature enabled.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:C/RE:M/U:RedGitHub Enterprise Server
APPGithub< 3.9.153.10.0 – 3.10.12 (bez)3.11.0 – 3.11.10 (bez)3.12.0 – 3.12.4 (bez)
Related vulnerabilities
A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an ...
Obejście uwierzytelniania SAML SSO w GitHub Enterprise Server
XML Signature Wrapping w GitHub Enterprise Server — fałszowanie SAML
Command injection w GitHub Enterprise Server — eskalacja do admina SSH
Command injection w GitHub Enterprise Server — przejęcie dostępu SSH admina