Article Details

GitHub Enterprise Server patches 10-outta-10 critical hole. On the bright side, someone made up to $30,000+ for finding it. GitHub has patched its Enterprise Server software to fix a security flaw that scored a 10 out of 10 CVSS severity score. The vulnerability affects instances of GitHub Enterprise Server, and gives full admin access to anyone exploiting the issue in any version of the code prior to version p3.13.0 of the code base. "On instances that use SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, an attacker could forge a SAML response to provision and/or gain access to a user with administrator privileges," GitHub disclosed this week in the release notes that accompanied patches for four versions of Enterprise Server. The bug has been assigned as CVE-2024-4985 and received the maximum severity score of 10. However, not all instances of Enterprise Server are impacted since it requires the optional encrypted assertions feature to be enabled, and that in turn requires SAML SSO to be used as well. Ironically, encrypted assertions are supposed to bolster security by encrypting communications sent from the SAML identity provider. Plus, the bug doesn't exist at all in versions based on the latest 3.13.x branch, instead being observed in the 3.9.x, 3.10.x, 3.11.x, and 3.12.x branches. Many users still rely on older versions of software, so the impact of the vulnerability is still likely significant. Microsoft-owned GitHub – the same Microsoft that has vowed to boost its at times woeful security – says it learned about the flaw through its bug bounty program, which rewards people who poke around GitHub software until they find a vulnerability. More severe bugs score bigger rewards, and in this case whoever reported the issue to GitHub got a windfall of $20-30,000 per GitHub's program. Though, even $30,000 might be conservative. "The upper bound for critical vulnerabilities is only a guideline, and GitHub may reward higher amounts for exceptional reports," GitHub says. Since this was a maximum severity security hole, the person who found it might have been paid very generously indeed.