GitHub Enterprise Server 3.13.3 tackles critical SAML vulnerability

3 weeks ago 13

Ryan Daws is a senior editor at TechForge Media with over a decade of experience in crafting compelling narratives and making complex topics accessible. His articles and interviews with industry leaders have earned him recognition as a key influencer by organisations like Onalytica. Under his leadership, publications have been praised by analyst firms such as Forrester for their excellence and performance. Connect with him on X (@gadget_ry) or Mastodon (@gadgetry@techhub.social)

GitHub has released Enterprise Server 3.13.3, addressing several security vulnerabilities, including a critical flaw affecting instances using SAML single sign-on.

Alongside security patches, the update delivers bug fixes, minor feature enhancements, and changes to the platform.

The most pressing issue tackled by this update is a critical vulnerability (CVE-2024-6800) impacting instances employing SAML SSO with specific Identity Providers (IdPs).

CVE-2024-6800 was discovered through GitHub’s Bug Bounty programme and could allow an attacker to forge a SAML response, potentially granting them access to user accounts with site administrator privileges.

This release also addresses two medium-severity vulnerabilities:

CVE-2024-7711: This vulnerability allowed attackers to modify the title, assignees, and labels of issues within public repositories. Private and internal repositories remained unaffected.
CVE-2024-6337: Attackers could exploit this vulnerability to expose issue content from private repositories using a GitHub App with specific read and write permissions. It’s important to note that this exploit required a user access token and did not impact installation access tokens.

Beyond security fixes, 3.13.3 brings several notable changes:

Enhanced visibility: Users gain increased visibility into the state of gists, networks, and wikis with the addition of app state information within the spokesctl info output. Additionally, the spokesctl check command can now diagnose and often rectify empty repository networks.
Improved stability and performance: Several bug fixes target issues related to hotpatching, configuration updates, and database migrations, resulting in improved system stability.
Usability improvements: Administrators benefit from more granular control over the maximum object size within repositories. Users can now customise their link underline styling preferences within the accessibility settings.

While this update enhances security and stability, GitHub acknowledges several known issues outlined within the official release notes. These include potential errors during configuration runs, issues with audit log data migration, and increased memory utilisation.

To review the full list of changes, please refer to the official release notes on GitHub’s website.

(Photo by Roman Synkevych)

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including BlockX, Digital Transformation Week, IoT Tech Expo, and AI & Big Data Expo.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: coding, cybersecurity, development, enterprise server, git, github, infosec, programming, security, vulnerability