Cyber Resilience

CVE-2024-9487

Critical

Published: 10 October 2024

Published
10 October 2024
Modified
15 November 2024
KEV Added
Patch
CVSS Score v4 9.5 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:C/RE:M/U:Red
EPSS Score 0.5069 97.9th percentile
Risk Priority 49 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-9487 is a critical-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Github Enterprise Server. Its CVSS base score is 9.5 (Critical).

Operationally, ranked in the top 2.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

An improper verification of cryptographic signature vulnerability, tracked as CWE-347, was identified in GitHub Enterprise Server. The flaw permitted bypass of SAML SSO authentication, enabling unauthorized user provisioning and instance access. It affected all versions prior to 3.15 and required the encrypted assertions feature to be enabled for exploitation.

An attacker with direct network access and a signed SAML response or metadata document could exploit the issue to circumvent authentication controls. This would allow provisioning of users and gaining unauthorized access to the GitHub Enterprise Server instance without valid credentials.

The vulnerability was addressed in the release notes for GitHub Enterprise Server versions 3.11.16, 3.12.10, 3.13.5, and 3.14.2, with the issue reported through the GitHub Bug Bounty program. Organizations should upgrade to one of the fixed versions to mitigate the risk.

The associated EPSS score reached a peak of 0.6027 from a lower starting point before settling at a current value of 0.5069, indicating that exploitation interest emerged after disclosure.

EU & UK References

Vulnerability details

An improper verification of cryptographic signature vulnerability was identified in GitHub Enterprise Server that allowed SAML SSO authentication to be bypassed resulting in unauthorized provisioning of users and access to the instance. Exploitation required the encrypted assertions feature to be…

more

enabled, and the attacker would require direct network access as well as a signed SAML response or metadata document. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.15 and was fixed in versions 3.11.16, 3.12.10, 3.13.5, and 3.14.2. This vulnerability was reported via the GitHub Bug Bounty program.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

github
enterprise server
≤ 3.11.16 · 3.12.0 — 3.12.10 · 3.13.0 — 3.13.5

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-347

Requires verification of digital signatures using organization-approved certificates before installation, directly preventing improper verification of cryptographic signatures.

addresses: CWE-347

Component authenticity commonly depends on cryptographic signatures; the control enforces proper verification of those signatures.

addresses: CWE-347

PKI certificates under an approved policy require cryptographic signature verification on issuance and validation.

addresses: CWE-347

Requires cryptographic signatures on authoritative data and support for verifying the chain of trust.

addresses: CWE-347

Mandates verification of cryptographic signatures (e.g., DNSSEC RRSIG) on resolution responses, addressing missing or bypassed signature checks.

addresses: CWE-347

Integrity tools commonly rely on cryptographic signatures whose improper validation this weakness covers.

addresses: CWE-347

Authenticity validation commonly relies on cryptographic signature or certificate checks that this control enforces.

References