CVE-2024-9487
Improper Verification of Cryptographic Signature (CWE-347)
Published: Oct 10, 2024 / Updated: 40d ago

010

CVSS 9.5EPSS 0.05%Critical

CVE info copied to clipboard

Summary

An improper verification of cryptographic signature vulnerability was identified in GitHub Enterprise Server that allowed SAML SSO authentication to be bypassed. This resulted in unauthorized provisioning of users and access to the instance. The vulnerability required the encrypted assertions feature to be enabled, and the attacker would need direct network access as well as a signed SAML response or metadata document.

Impact

This vulnerability could allow an attacker to bypass SAML SSO authentication, potentially leading to unauthorized user provisioning and unauthorized access to the GitHub Enterprise Server instance. This could result in a severe breach of security, allowing attackers to gain high levels of access to sensitive data and systems within the GitHub Enterprise Server environment.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability has been fixed in GitHub Enterprise Server versions 3.11.16, 3.12.10, 3.13.5, and 3.14.2. All versions prior to 3.15 were affected.

Mitigation

1. Update GitHub Enterprise Server to one of the patched versions: 3.11.16, 3.12.10, 3.13.5, 3.14.2, or any version 3.15 or later. 2. If immediate patching is not possible, consider temporarily disabling the encrypted assertions feature until the update can be applied. 3. Monitor and restrict direct network access to the GitHub Enterprise Server instance. 4. Implement additional security measures around SAML SSO, such as multi-factor authentication. 5. Audit user accounts and access privileges to identify any potentially unauthorized users or access that may have occurred due to this vulnerability.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:C/RE:M/U:Red

Timeline

CVE Assignment

NVD published the first details for CVE-2024-9487

Oct 10, 2024 at 10:15 PM

CVSS

A CVSS base score of 9.5 has been assigned.

Oct 10, 2024 at 10:20 PM / nvd

First Article

Feedly found the first article mentioning CVE-2024-9487. See article

Oct 10, 2024 at 10:24 PM / National Vulnerability Database

CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 10, 2024 at 10:24 PM

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (380677)

Oct 11, 2024 at 7:53 AM

EPSS

EPSS Score was set to: 0.05% (Percentile: 16.4%)

Oct 11, 2024 at 9:42 AM

Threat Intelligence Report

CVE-2024-9487 is a high-severity vulnerability in GitHub Enterprise Server that allows for the bypass of SAML SSO authentication, leading to unauthorized user provisioning and access, affecting all versions prior to 3.15. Exploitation requires the encrypted assertions feature to be enabled, direct network access, and a signed SAML response or metadata document; however, it has been patched in versions 3.11.16, 3.12.10, 3.13.5, and 3.14.2. The vulnerability was reported through the GitHub Bug Bounty program, but no information on exploitation in the wild or proof-of-concept exploits is provided in the article. See article

Oct 11, 2024 at 7:10 PM

Trending

This CVE started to trend in security discussions

Oct 16, 2024 at 3:51 PM

Trending

This CVE stopped trending in security discussions

Oct 19, 2024 at 6:23 AM