CVE-2024-4985 – This CVE describes an authentication bypass vul... (How to Fix)

Q: What is the severity of CVE-2024-4985?

CVE-2024-4985 has a CVSS score of 9.8 (CRITICAL). This CVE describes an authentication bypass vulnerability in GitHub Enterprise Server when using SAML SSO with encrypted assertions. Attackers can forge SAML responses to create or access site administrator accounts without authentication. All GHES versions before 3.13.0 are affected.

📋 TL;DR

This CVE describes an authentication bypass vulnerability in GitHub Enterprise Server when using SAML SSO with encrypted assertions. Attackers can forge SAML responses to create or access site administrator accounts without authentication. All GHES versions before 3.13.0 are affected.

💻 Affected Systems

Products:

GitHub Enterprise Server

Versions: All versions prior to 3.13.0

Operating Systems: All supported GHES platforms

Default Config Vulnerable: ✅ No

Notes: Only affects configurations using SAML single sign-on with the optional encrypted assertions feature enabled.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the GitHub Enterprise Server instance with attacker gaining site administrator privileges, allowing data theft, code manipulation, and full system control.

🟠

Likely Case

Unauthorized access to administrative functions, potential data exfiltration, and privilege escalation within the GitHub instance.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, but still represents a critical authentication bypass.

🌐 Internet-Facing: HIGH - GitHub Enterprise Server instances with SAML SSO exposed to the internet are directly vulnerable to remote exploitation.

🏢 Internal Only: HIGH - Even internally hosted instances are vulnerable if attackers gain network access or if insider threats exist.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires knowledge of SAML response forging and targeting of GHES instances with specific SAML configuration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.9.15, 3.10.12, 3.11.10, 3.12.4, or 3.13.0+

Vendor Advisory: https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.12

Restart Required: Yes

Instructions:

1. Backup your GHES instance. 2. Upgrade to patched version (3.9.15, 3.10.12, 3.11.10, 3.12.4, or 3.13.0+). 3. Restart the instance. 4. Verify SAML authentication works correctly.

🔧 Temporary Workarounds

Disable SAML Encrypted Assertions

all

Temporarily disable the encrypted assertions feature in SAML configuration until patching is possible.

Navigate to Management Console > Authentication > SAML > Disable 'Encrypt assertions'

🧯 If You Can't Patch

Disable SAML SSO entirely and use alternative authentication methods
Implement strict network access controls to limit GHES access to trusted IPs only

🔍 How to Verify

Check if Vulnerable:

Check GHES version via Management Console or SSH: if version is below 3.9.15, 3.10.12, 3.11.10, 3.12.4, or 3.13.0, and SAML with encrypted assertions is enabled, the system is vulnerable.

Check Version:

ssh admin@GHES-instance 'ghes-version' or check Management Console dashboard

Verify Fix Applied:

After patching, verify version is 3.9.15+, 3.10.12+, 3.11.10+, 3.12.4+, or 3.13.0+ and test SAML authentication functionality.

📡 Detection & Monitoring

Log Indicators:

Unexpected SAML authentication attempts
Administrator account creation from unusual sources
Failed SAML decryption errors

Network Indicators:

Unusual SAML response traffic to GHES instance
Authentication requests from unexpected IP addresses

SIEM Query:

source="github-enterprise" AND (event="saml_auth" OR event="user_create") AND result="success" | stats count by src_ip, user

📊 Metadata

CVE ID: CVE-2024-4985

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-303

Published: May 20, 2024

Last Updated: August 27, 2025

🔗 References

https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.12 Release Notes
https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.10 Release Notes
https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.4 Release Notes
https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.15 Release Notes
https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.12 Release Notes
https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.10 Release Notes
https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.4 Release Notes
https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.15 Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-4985, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Enterprise Server by Github

Enterprise Server by Github

Enterprise Server by Github

Enterprise Server by Github

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable SAML Encrypted Assertions

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities