Industry

GitHub Enterprise Server 3.13.3 tackles critical SAML vulnerability

Sep 03, 2024

GitHub has released Enterprise Server 3.13.3, addressing several security vulnerabilities, including a critical flaw affecting instances using SAML single sign-on. 

Alongside security patches, the update delivers bug fixes, minor feature enhancements, and changes to the platform.

The most pressing issue tackled by this update is a critical vulnerability (CVE-2024-6800) impacting instances employing SAML SSO with specific Identity Providers (IdPs).

CVE-2024-6800 was discovered through GitHub’s Bug Bounty programme and could allow an attacker to forge a SAML response, potentially granting them access to user accounts with site administrator privileges.

This release also addresses two medium-severity vulnerabilities:

  • CVE-2024-7711: This vulnerability allowed attackers to modify the title, assignees, and labels of issues within public repositories. Private and internal repositories remained unaffected.
  • CVE-2024-6337: Attackers could exploit this vulnerability to expose issue content from private repositories using a GitHub App with specific read and write permissions. It’s important to note that this exploit required a user access token and did not impact installation access tokens.

Beyond security fixes, 3.13.3 brings several notable changes:

  • Enhanced visibility: Users gain increased visibility into the state of gists, networks, and wikis with the addition of app state information within the spokesctl info output. Additionally, the spokesctl check command can now diagnose and often rectify empty repository networks.
  • Improved stability and performance: Several bug fixes target issues related to hotpatching, configuration updates, and database migrations, resulting in improved system stability.
  • Usability improvements: Administrators benefit from more granular control over the maximum object size within repositories. Users can now customise their link underline styling preferences within the accessibility settings.

While this update enhances security and stability, GitHub acknowledges several known issues outlined within the official release notes. These include potential errors during configuration runs, issues with audit log data migration, and increased memory utilisation.

To review the full list of changes, please refer to the official release notes on GitHub’s website.

(Photo by Roman Synkevych)

See also: Unit 42 researchers uncover critical GitHub Actions vulnerability

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including BlockX, Digital Transformation Week, IoT Tech Expo, and AI & Big Data Expo.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: coding, cybersecurity, development, enterprise server, git, github, infosec, programming, security, vulnerability