On August 20, 2024, GitHub released security fixes for a critical authentication bypass vulnerability in GitHub Enterprise Server, identified as CVE-2024-6800. GitHub Enterprise Server is a self-hosted version of GitHub, designed for organizations to manage and collaborate on code securely within their own infrastructure. This vulnerability affects instances using SAML single sign-on (SSO) with certain identity providers (IdPs) that publicly expose signed federation metadata XML. An attacker could exploit this flaw by forging a SAML response to provision or gain unauthorized access to a site administrator account.
Arctic Wolf has not observed any exploitation of this vulnerability in the wild, and there are no known published Proof of Concept (PoC) exploits at this time. While vulnerabilities in GitHub Enterprise Server have not been publicly reported as being used in attacks, threat actors may focus on this vulnerability due to the significant access gained by compromising a vulnerable instance and the widespread use of GitHub across organizations globally.
Recommendation for CVE-2024-6800
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.
| Product | Affected Version | Fixed Version |
| GitHub Enterprise Server | Versions prior to 3.13.3, 3.12.8, 3.11.14, and 3.10.16 | Any of the following: |
Note: GitHub has cautioned that errors may appear during configuration after the security updates are applied, but the instance should still start without issues.
Please follow your organization’s patching and testing guidelines to avoid any operational impact.
References
