GitHub warns of SAML auth bypass flaw in Enterprise Server
GitHub has fixed a maximum severity (CVSS v4 score: 10.0) authentication bypass vulnerability tracked as CVE-2024-4986, which impacts GitHub Enterprise Server (GHES) instances using SAML single sign-on (SSO) authentication.
Exploiting the flaw would allow a threat actor to forge a SAML response and gain administrator privileges, providing unrestricted access to all of the instance's contents without requiring any authentication.
GHES is a self-hosted version of GitHub designed for organizations that prefer to store repositories on their own servers or private cloud environments.
It caters to the needs of large enterprises or development teams that require greater control over their assets, entities handling sensitive or proprietary data, organizations with high-performance needs, and users requiring offline access capabilities.
The flaw, which was submitted to GitHub's Bug Bounty program, only impacts instances utilizing Security Assertion Markup Language (SAML) SSO with encrypted assertions. This optional feature protects data against interception (man-in-the-middle attacks).
Due to encrypted assertions not being the default setting on GHES, CVE-2024-4986 only impacts instances whose administrators have enabled the security feature.
The vulnerability has been fixed in GHEL versions 3.12.4, 3.11.10, 3.10.12, and 3.9.15, all released yesterday, on May 20.
Known issues with the update include:
- Custom firewall rules are wiped.
- "No such object" error during configuration validation for Notebook and Viewscreen services. (can be ignored)
- Management Console root admin account does not unlock automatically after lockout. (requires SSH access to unlock)
- TLS-enabled log forwarding fails as CA bundles uploaded using ghe-ssl-ca-certificate-install are not respected.
- The mbind: Operation not permitted error in MySQL logs can be ignored.
- AWS instances may lose system time synchronization after a reboot.
- All client IPs appear as 127.0.0.1 in audit logs when using the X-Forwarded-For header behind a load balancer.
- Large .adoc files may not render in the web UI but are available as plaintext.
- Backup restoration with ghe-restore may fail if Redis hasn't restarted properly.
- Repositories imported using ghe-migrator do not track Advanced Security contributions correctly.
- GitHub Actions workflows for GitHub Pages may fail; fix requires specific SSH commands. (fix provided in the bulletin)
Despite those issues, those using the vulnerable configuration (SAML SSO + encrypted assertions) should immediately move to a safe GHEL version.
Google Chrome's new post-quantum cryptography may break TLS connections
Google rolls out Chrome fix for empty pages when switching tabs
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2025-24983 Microsoft Windows Win32k Use-After-Free Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
CVE-2024-20953 Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability
MediumHTTP Parameter Override
LowInformation Disclosure - Sensitive Information in Browser localStorage
MediumParameter Tampering
InformationalUser Agent Fuzzer
InformationalNon-Storable Content
MediumBuffer Overflow
Free online web security scanner
