News: 1724282107

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

You probably want to patch this critical GitHub Enterprise Server bug now

(2024/08/22)


A critical bug in GitHub Enterprise Server could allow an attacker to gain unauthorized access to a user account with administrator privileges and then wreak havoc on an organization's code repositories.

The good news is that there's a fix. The Microsoft-owned code hosting service addressed the 9.5 CVSS-rated flaw tracked as [1]CVE-2024-6800 in GitHub Enterprise Server (GHES) versions [2]3.13.3 , [3]3.10.16 , [4]3.11.14 , and [5]3.12.8 .

Orgs running a vulnerable instance of GitHub Enterprise Server (GHES), GitHub's self-hosted version, will likely do well to download the update ASAP as miscreants are likely already scanning for this CVE.

[6]

Affected versions of GHES include 3.13.0 to 3.13.2, 3.10.0 to 3.10.15, 3.11.0 to 3.11.13 and 3.12.0 to 3.12.7.

[7]

[8]

As GitHub explained in the release notes we’ve linked to above, the critical flaw affected GHES instances that use Security Assertion Markup Language (SAML) for single sign-on authentication. The SAML authentication allows specific identity providers (IdPs) that use publicly exposed and signed federation metadata XML. This could allow an attacker to forge a SAML response to gain administrator privileges on a compromised machine, thus giving an unauthorized party access to your organization's GitHub-hosted repos.

This vulnerability, along with two others addressed in version 3.13.3, were reported via the [9]GitHub Bug Bounty program .

[10]

The other two now-fixed flaws are both rated medium-severity.

[11]CVE-2024-7711 could allow an attacker to update the title, assignees and labels of any issue inside a public repository — public being the key word here. Private and internal repositories are not affected by this bug, which earned a 5.3 CVSS rating.

[12]CVE-2024-6337 is a 5.9-rated vulnerability that could allow an attacker to disclose the issue contents from a private repository using a GitHub App with only 'content: read' and 'pull_request_write: write' permissions.

[13]

This one can only be exploited with a user-access token, we're told. Installation access tokens are not affected.

[14]GitHub rolls back database change after breaking itself

[15]Who needs GitHub Copilot when you can roll your own AI code assistant at home

[16]110K domains targeted in 'sophisticated' AWS cloud extortion campaign

[17]Multiple flaws in Microsoft macOS apps unpatched despite potential risks

It's been a rocky couple of weeks for the collaborative coding colossus.

This security update comes about a week after GitHub [18]broke itself after rolling out an "erroneous" configuration change to all GitHub.com databases. This caused a global outage to several of its services, along with GitHub.com and the GitHub API.

Also last week, Palo Alto’s Unit 42 threat intelligence team found that a [19]bad combination of misconfigurations and security flaws can make GitHub Actions artifacts leak both GitHub and third-party cloud services tokens. ®

Get our [20]Tech Resources



[1] https://www.cve.org/cverecord?id=CVE-2024-6800

[2] https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.3

[3] https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.16

[4] https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.14

[5] https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.8

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zsa35lkz04-aS1Sgk6x-GwAAAIk&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zsa35lkz04-aS1Sgk6x-GwAAAIk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zsa35lkz04-aS1Sgk6x-GwAAAIk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[9] https://bounty.github.com/

[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zsa35lkz04-aS1Sgk6x-GwAAAIk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[11] https://www.cve.org/cverecord?id=CVE-2024-7711

[12] https://www.cve.org/cverecord?id=CVE-2024-6337

[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zsa35lkz04-aS1Sgk6x-GwAAAIk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[14] https://www.theregister.com/2024/08/14/github_rollback/

[15] https://www.theregister.com/2024/08/18/self_hosted_github_copilot/

[16] https://www.theregister.com/2024/08/21/aws_extortion_campaign/

[17] https://www.theregister.com/2024/08/19/cisco_talos_microsoft_macos/

[18] https://www.theregister.com/2024/08/14/github_rollback/

[19] https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/

[20] https://whitepapers.theregister.com/



Man 1: Ask me the what the most important thing about telling a good joke is.

Man 2: OK, what is the most impo --

Man 1: ______TIMING!