GitHub Enterprise Server vulnerable to critical auth bypass flaw

Share:

A critical vulnerability affecting multiple versions of GitHub Enterprise Server could be exploited to bypass authentication and enable an attacker to gain administrator privileges on the machine.

The security issue is identified as CVE-2024-6800 and received a 9.5 severity rating as per the CVSS 4.0 standard. It is described as an XML signature wrapping problem that occurs when using the Security Assertion Markup Language (SAML) authentication standard with certain identity providers.

“On GitHub Enterprise Server instances that use SAML single sign-on (SSO) authentication with specific IdPs utilizing publicly exposed signed federation metadata XML, an attacker could forge a SAML response to provision and/or gain access to a user account with site administrator privileges.” – GitHub

GitHub Enterprise Server (GHES) is a local version of GitHub for businesses that lack the experience for working with the public cloud or want to manage access and security controls.

According to the FOFA search engine for network assets exposed on the public web, there are more than 36,500 GHES instances accessible over the internet, most of them (29,200) located in the United States.

However, it is unclear how many of the exposed GHES machines are running a vulnerable version of the product.

GitHub has addressed the issue in GHES versions 3.13.3, 3.12.8, 3.11.14, and 3.10.16.

The new GHES releases also include fixes for two other vulnerabilities, both with a medium severity score:

  • CVE-2024-7711: allows issues on public repositories to be modified by attackers
  • CVE-2024-6337: relates to disclosing issue content from a private repository

All three security issues were reported through GitHub’s Bug Bounty program on the HackerOne platform.

GitHub warns that some services might show errors during the configuration process after applying the security updates but instance should still start correctly.

Several issues related to log entries, memory utilization, and service interruptions during specific operations are also noted in the bulletin, so system admins are advised to check the ‘Known issues’ section before they apply the update.

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
London, GB
11:52 am, Jul 11, 2025
weather icon 29°C
L: 27° | H: 31°
few clouds
Humidity: 44 %
Pressure: 1020 mb
Wind: 7 mph E
Wind Gust: 0 mph
UV Index: 0
Precipitation: 0 mm
Clouds: 13%
Rain Chance: 0%
Visibility: 10 km
Sunrise: 4:56 am
Sunset: 9:15 pm
DailyHourly
Daily ForecastHourly Forecast
Today 10:00 pm
weather icon
27° | 31°°C 0 mm 0% 8 mph 47 % 1020 mb 0 mm/h
Tomorrow 10:00 pm
weather icon
18° | 30°°C 0 mm 0% 9 mph 65 % 1018 mb 0 mm/h
Sun Jul 13 10:00 pm
weather icon
17° | 27°°C 0 mm 0% 7 mph 73 % 1014 mb 0 mm/h
Mon Jul 14 10:00 pm
weather icon
20° | 29°°C 0 mm 0% 14 mph 71 % 1017 mb 0 mm/h
Tue Jul 15 10:00 pm
weather icon
15° | 27°°C 0 mm 0% 13 mph 71 % 1021 mb 0 mm/h
Today 1:00 pm
weather icon
29° | 29°°C 0 mm 0% 3 mph 44 % 1020 mb 0 mm/h
Today 4:00 pm
weather icon
29° | 31°°C 0 mm 0% 5 mph 39 % 1019 mb 0 mm/h
Today 7:00 pm
weather icon
28° | 28°°C 0 mm 0% 5 mph 33 % 1018 mb 0 mm/h
Today 10:00 pm
weather icon
22° | 22°°C 0 mm 0% 8 mph 47 % 1019 mb 0 mm/h
Tomorrow 1:00 am
weather icon
18° | 18°°C 0 mm 0% 4 mph 55 % 1018 mb 0 mm/h
Tomorrow 4:00 am
weather icon
19° | 19°°C 0 mm 0% 4 mph 65 % 1018 mb 0 mm/h
Tomorrow 7:00 am
weather icon
19° | 19°°C 0 mm 0% 6 mph 64 % 1018 mb 0 mm/h
Tomorrow 10:00 am
weather icon
24° | 24°°C 0 mm 0% 6 mph 45 % 1017 mb 0 mm/h
Name Price24H (%)
Bitcoin(BTC)
€100,962.14
6.40%
Ethereum(ETH)
€2,570.28
8.10%
Tether(USDT)
€0.85
0.02%
XRP(XRP)
€2.26
8.46%
Solana(SOL)
€140.86
4.43%
USDC(USDC)
€0.85
0.00%
Dogecoin(DOGE)
€0.170497
10.23%
Shiba Inu(SHIB)
€0.000012
7.70%
Pepe(PEPE)
€0.000011
15.16%
Peanut the Squirrel(PNUT)
€0.246894
20.17%
Scroll to Top