An improper verification of cryptographic signature vulnerability was identified in GitHub Enterprise Server that allowed SAML SSO authentication to be bypassed resulting in unauthorized provisioning of users and access to the instance. Exploitation required the encrypted assertions feature to be enabled, and the attacker would require direct network access as well as a signed SAML response or metadata document. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.15 and was fixed in versions 3.11.16, 3.12.10, 3.13.5, and 3.14.2. This vulnerability was reported via the GitHub Bug Bounty program.
Metrics
Affected Vendors & Products
References
History
Fri, 11 Oct 2024 21:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Github
Github enterprise Server |
|
CPEs | cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:* | |
Vendors & Products |
Github
Github enterprise Server |
|
Metrics |
ssvc
|
Thu, 10 Oct 2024 21:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | An improper verification of cryptographic signature vulnerability was identified in GitHub Enterprise Server that allowed SAML SSO authentication to be bypassed resulting in unauthorized provisioning of users and access to the instance. Exploitation required the encrypted assertions feature to be enabled, and the attacker would require direct network access as well as a signed SAML response or metadata document. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.15 and was fixed in versions 3.11.16, 3.12.10, 3.13.5, and 3.14.2. This vulnerability was reported via the GitHub Bug Bounty program. | |
Title | An Improper Verification of Cryptographic Signature vulnerability was identified in GitHub Enterprise Server that allowed SAML SSO authentication to be bypassed when the encrypted assertions feature was enabled | |
Weaknesses | CWE-347 | |
References |
|
|
Metrics |
cvssV4_0
|
MITRE
Status: PUBLISHED
Assigner: GitHub_P
Published: 2024-10-10T21:08:48.720Z
Updated: 2024-10-11T15:34:07.811Z
Reserved: 2024-10-03T17:35:13.960Z
Link: CVE-2024-9487
Vulnrichment
Updated: 2024-10-11T15:33:53.008Z
NVD
Status : Awaiting Analysis
Published: 2024-10-10T22:15:11.357
Modified: 2024-10-15T12:58:51.050
Link: CVE-2024-9487
Redhat
No data.