GitHub warns of SAML auth bypass flaw in Enterprise Server
GitHub has fixed a maximum severity (CVSS v4 score: 10.0) authentication bypass vulnerability tracked as CVE-2024-4986, which impacts GitHub Enterprise Server (GHES) instances using SAML single sign-on (SSO) authentication.
Exploiting the flaw would allow a threat actor to forge a SAML response and gain administrator privileges, providing unrestricted access to all of the instance's contents without requiring any authentication.
GHES is a self-hosted version of GitHub designed for organizations that prefer to store repositories on their own servers or private cloud environments.
It caters to the needs of large enterprises or development teams that require greater control over their assets, entities handling sensitive or proprietary data, organizations with high-performance needs, and users requiring offline access capabilities.
The flaw, which was submitted to GitHub's Bug Bounty program, only impacts instances utilizing Security Assertion Markup Language (SAML) SSO with encrypted assertions. This optional feature protects data against interception (man-in-the-middle attacks).
Due to encrypted assertions not being the default setting on GHES, CVE-2024-4986 only impacts instances whose administrators have enabled the security feature.
The vulnerability has been fixed in GHEL versions 3.12.4, 3.11.10, 3.10.12, and 3.9.15, all released yesterday, on May 20.
Known issues with the update include:
- Custom firewall rules are wiped.
- "No such object" error during configuration validation for Notebook and Viewscreen services. (can be ignored)
- Management Console root admin account does not unlock automatically after lockout. (requires SSH access to unlock)
- TLS-enabled log forwarding fails as CA bundles uploaded using ghe-ssl-ca-certificate-install are not respected.
- The mbind: Operation not permitted error in MySQL logs can be ignored.
- AWS instances may lose system time synchronization after a reboot.
- All client IPs appear as 127.0.0.1 in audit logs when using the X-Forwarded-For header behind a load balancer.
- Large .adoc files may not render in the web UI but are available as plaintext.
- Backup restoration with ghe-restore may fail if Redis hasn't restarted properly.
- Repositories imported using ghe-migrator do not track Advanced Security contributions correctly.
- GitHub Actions workflows for GitHub Pages may fail; fix requires specific SSH commands. (fix provided in the bulletin)
Despite those issues, those using the vulnerable configuration (SAML SSO + encrypted assertions) should immediately move to a safe GHEL version.
Google Chrome's new post-quantum cryptography may break TLS connections
Google rolls out Chrome fix for empty pages when switching tabs
CVE-2024-20439 Cisco Smart Licensing Utility Static Credential Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2025-30154 reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability
CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
Free online web security scanner
