A critical bug in GitHub Enterprise Server could allow an attacker to gain unauthorized access to a user account with administrative privileges and subsequently destroy an organization’s code repositories.

The good news is that there is a fix. Microsoft’s own code hosting service has addressed the 9.5 CVSS-rated flaw that was tracked as CVE-2024-6800 in GitHub Enterprise Server (GHES) versions 3.13.3, 3.10.16, 3.11.14, and 3.12.8.

Organizations running a vulnerable instance of GitHub Enterprise Server (GHES), the self-hosted version of GitHub, would likely want to download the update as soon as possible, as attackers are likely already looking for this CVE.

The GHES versions affected include 3.13.0 to 3.13.2, 3.10.0 to 3.10.15, 3.11.0 to 3.11.13, and 3.12.0 to 3.12.7.

As GitHub explained in the release notes linked above, the critical flaw affected GHES instances that use Security Assertion Markup Language (SAML) for single sign-on authentication. The SAML authentication allows specific identity providers (IdPs) to use publicly exposed and signed federation metadata XML. This could allow an attacker to forge a SAML response to gain administrative privileges on a compromised machine, potentially giving an unauthorized party access to your organization’s GitHub-hosted repos.

This vulnerability, along with two others addressed in version 3.13.3, was reported through the GitHub Bug Bounty program.

The other two bugs that have now been fixed are both of medium severity.

CVE-2024-7711 could allow an attacker to update the title, assignees, and labels of any issue in a public repository — public being the key word here. Private and internal repositories are unaffected by this bug, which has a CVSS rating of 5.3.

CVE-2024-6337 is a vulnerability with a rating of 5.9 that could allow an attacker to release the issue’s contents from a private repository via a GitHub app with only the ‘content: read’ and ‘pull_request_write: write’ permissions.

This can only be exploited with a user access token, we are told. Installation access tokens are not affected.

It’s been a turbulent few weeks for the collaborative coding technology giant.

This security update comes about a week after GitHub broke itself after rolling out a “bad” configuration change to all GitHub.com databases, causing a global outage of several of its services, along with GitHub.com and the GitHub API.

Also last week, Palo Alto’s Unit 42 threat intelligence team discovered that a bad combination of misconfigurations and vulnerabilities can cause GitHub Actions artifacts to leak both GitHub and external cloud service tokens. ®