Future Tech
GitHub Enterprise Server patches 10-outta-10 critical hole
GitHub has patched its Enterprise Server software to fix a security flaw that scored a 10 out of 10 CVSS severity score.
The vulnerability affects instances of GitHub Enterprise Server, and gives full admin access to anyone exploiting the issue in any version of the code prior to version p3.13.0 of the code base.
"On instances that use SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, an attacker could forge a SAML response to provision and/or gain access to a user with administrator privileges," GitHub disclosed this week in the release notes that accompanied patches for four versions of Enterprise Server.
The bug has been assigned as CVE-2024-4985 and received the maximum severity score of 10. However, not all instances of Enterprise Server are impacted since it requires the optional encrypted assertions feature to be enabled, and that in turn requires SAML SSO to be used as well.
Ironically, encrypted assertions are supposed to bolster security by encrypting communications sent from the SAML identity provider.
Plus, the bug doesn't exist at all in versions based on the latest 3.13.x branch, instead being observed in the 3.9.x, 3.10.x, 3.11.x, and 3.12.x branches. Many users still rely on older versions of software, so the impact of the vulnerability is still likely significant.
Microsoft-owned GitHub - the same Microsoft that has vowed to boost its at times woeful security - says it learned about the flaw through its bug bounty program, which rewards people who poke around GitHub software until they find a vulnerability. More severe bugs score bigger rewards, and in this case whoever reported the issue to GitHub got a windfall of $20-30,000 per GitHub's program.
Though, even $30,000 might be conservative. "The upper bound for critical vulnerabilities is only a guideline, and GitHub may reward higher amounts for exceptional reports," GitHub says. Since this was a maximum severity security hole, the person who found it might have been paid very generously indeed. ®
https://www.theregister.com//2024/05/22/github_enterprise_server_patch/
More articles on Future Tech
From RAGs to riches: A practical guide to making your local AI chatbot smarter
Created by Tan KW | Jun 16, 2024
European Commission may be about to put the squeeze on Apple for its App Store rules
Created by Tan KW | Jun 15, 2024
Microsoft answered Congress' questions on security. Now the White House needs to act
Created by Tan KW | Jun 15, 2024
OpenAI CEO says company could become benefit corporation- The Information
Created by Tan KW | Jun 15, 2024
Apple, Meta set to face EU charges under landmark tech rules, sources say
Created by Tan KW | Jun 15, 2024
Stanford Internet Observatory wilts under legal pressure during election year
Created by Tan KW | Jun 15, 2024
Discussions
Be the first to like this. Showing 0 of 0 comments
Post a Comment
Featured Posts
New Update. Discover investment communities that resonate with your ideas
Apps
Top Articles
1
THE INVESTMENT APPROACH OF CALVIN TAN
2
CEO Morning Brief
FTSE4Good Bursa Adds 12 New Counters, Including YTL Power and Sunway
5
BFM Podcast
6
TA Sector Research
7
BFM Podcast
8
BFM Podcast
#
Stock
Score
Daily Stocks
Stock Name
Last
Change
Volume
Stock Name
Last
Change
Volume
Stock Name
Last
Change
Volume
MQ Trading Signals
Stock
Time
Signal
Duration
No trading signals available.
Stock
Time
Signal
Duration
No trading signals available.
Featured Advertisers / Partners
Ride The Bull Short The Bear
CS Tan
4.9 / 5.0
This book is the result of the author's many years of experience and observation throughout his 26 years in the stockbroking industry. It was written for general public to learn to invest based on facts and not on fantasies or hearsay....
