CVE-2024-9487
Published: 10 October 2024
Summary
CVE-2024-9487 is a critical-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Github Enterprise Server. Its CVSS base score is 9.5 (Critical).
Operationally, ranked in the top 2.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
An improper verification of cryptographic signature vulnerability, tracked as CWE-347, was identified in GitHub Enterprise Server. The flaw permitted bypass of SAML SSO authentication, enabling unauthorized user provisioning and instance access. It affected all versions prior to 3.15 and required the encrypted assertions feature to be enabled for exploitation.
An attacker with direct network access and a signed SAML response or metadata document could exploit the issue to circumvent authentication controls. This would allow provisioning of users and gaining unauthorized access to the GitHub Enterprise Server instance without valid credentials.
The vulnerability was addressed in the release notes for GitHub Enterprise Server versions 3.11.16, 3.12.10, 3.13.5, and 3.14.2, with the issue reported through the GitHub Bug Bounty program. Organizations should upgrade to one of the fixed versions to mitigate the risk.
The associated EPSS score reached a peak of 0.6027 from a lower starting point before settling at a current value of 0.5069, indicating that exploitation interest emerged after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-49973
Vulnerability details
An improper verification of cryptographic signature vulnerability was identified in GitHub Enterprise Server that allowed SAML SSO authentication to be bypassed resulting in unauthorized provisioning of users and access to the instance. Exploitation required the encrypted assertions feature to be…
more
enabled, and the attacker would require direct network access as well as a signed SAML response or metadata document. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.15 and was fixed in versions 3.11.16, 3.12.10, 3.13.5, and 3.14.2. This vulnerability was reported via the GitHub Bug Bounty program.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requires verification of digital signatures using organization-approved certificates before installation, directly preventing improper verification of cryptographic signatures.
Component authenticity commonly depends on cryptographic signatures; the control enforces proper verification of those signatures.
PKI certificates under an approved policy require cryptographic signature verification on issuance and validation.
Requires cryptographic signatures on authoritative data and support for verifying the chain of trust.
Mandates verification of cryptographic signatures (e.g., DNSSEC RRSIG) on resolution responses, addressing missing or bypassed signature checks.
Integrity tools commonly rely on cryptographic signatures whose improper validation this weakness covers.
Authenticity validation commonly relies on cryptographic signature or certificate checks that this control enforces.