GitHub Enterprise Server (GHES) Security Update Advisory (CVE-2024-9487)

Overview

 

An update has been released to address vulnerabilities in GitHub Enterprise Server (GHES). Users of the affected versions are advised to update to the latest version.

 

Affected Products

 

CVE-2024-9487

• GitHub Enterprise Server (GHES) versions: 3.11.0 (inclusive) ~ 3.11.15 (inclusive)
• GitHub Enterprise Server (GHES) versions: 3.12.0 (inclusive) ~ 3.12.9 (inclusive)
• GitHub Enterprise Server (GHES) versions: 3.13.0 (inclusive) ~ 3.13.4 (inclusive)
• GitHub Enterprise Server (GHES) versions: 3.14.0 (inclusive) ~ 3.14.1 (inclusive)

 

 

Resolved Vulnerabilities

 

Vulnerability in GitHub Enterprise Server that could allow unauthorized user provisioning and access via SAML SSO authentication bypass (CVE-2024-9487)

 

Vulnerability Patches

 

The following product-specific Vulnerability Patches have been made available with the latest update. If you are using an affected version, Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

 

CVE-2024-9487

• GitHub Enterprise Server (GHES) version: 3.11.16
• GitHub Enterprise Server (GHES) version: 3.12.10
• GitHub Enterprise Server (GHES) version: 3.13.5
• GitHub Enterprise Server (GHES) version: 3.14.2

 

 

References

[1] CVE-2024-9487 Detail

https://nvd.nist.gov/vuln/detail/CVE-2024-9487

[2] Enterprise Server 3.11.16

https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.16

[3] Enterprise Server 3.12.10

https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.10

[4] Enterprise Server 3.13.5

https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.5

[5] Enterprise Server 3.14.2

https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.2