Friend
Professional
- Messages
- 2,653
- Reaction score
- 851
- Points
- 113
Update as soon as possible if you don't want to share your data with hackers.
On August 20, GitHub released updates to address three security vulnerabilities in its Enterprise Server product, including one critical issue that allowed attackers to gain site administrator privileges.
The most severe vulnerability was assigned the CVE-2024-6800 identifier and a CVSS score of 9.5. This vulnerability affects GitHub Enterprise servers that use SAML authentication with certain identity providers (IdPs) that use publicly available signed federated metadata XML files. In this case, an attacker can spoof the SAML response and gain access to the account with site administrator privileges.
GitHub has also fixed two other medium-severity vulnerabilities. The first, with the identifier CVE-2024-7711 and CVSS score of 5.3, is related to incorrect authorization, which allows an attacker to change the headers, assigned responsible persons, and labels of any task in a public repository. The second, with the ID CVE-2024-6337 and a score of 5.9, is also related to improper authorization and allows access to task content in private repositories using GitHub App with limited read and write permissions for pull requests.
All three vulnerabilities were fixed in GHES versions 3.13.3, 3.12.8, 3.11.14, and 3.10.16.
Earlier in May, GitHub also patched a critical security vulnerability (CVE-2024-4985) with a maximum score of 10.0 on CVSS, which allowed unauthorized access to a server without prior authentication.
Organizations using vulnerable versions of GHES are strongly encouraged to update to the latest version to protect themselves from potential security threats.
Source
On August 20, GitHub released updates to address three security vulnerabilities in its Enterprise Server product, including one critical issue that allowed attackers to gain site administrator privileges.
The most severe vulnerability was assigned the CVE-2024-6800 identifier and a CVSS score of 9.5. This vulnerability affects GitHub Enterprise servers that use SAML authentication with certain identity providers (IdPs) that use publicly available signed federated metadata XML files. In this case, an attacker can spoof the SAML response and gain access to the account with site administrator privileges.
GitHub has also fixed two other medium-severity vulnerabilities. The first, with the identifier CVE-2024-7711 and CVSS score of 5.3, is related to incorrect authorization, which allows an attacker to change the headers, assigned responsible persons, and labels of any task in a public repository. The second, with the ID CVE-2024-6337 and a score of 5.9, is also related to improper authorization and allows access to task content in private repositories using GitHub App with limited read and write permissions for pull requests.
All three vulnerabilities were fixed in GHES versions 3.13.3, 3.12.8, 3.11.14, and 3.10.16.
Earlier in May, GitHub also patched a critical security vulnerability (CVE-2024-4985) with a maximum score of 10.0 on CVSS, which allowed unauthorized access to a server without prior authentication.
Organizations using vulnerable versions of GHES are strongly encouraged to update to the latest version to protect themselves from potential security threats.
Source
