How severe is CVE-2024-9487?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.1 out of 10.

What type of vulnerability is CVE-2024-9487?

This is classified as CWE-347, which is a common weakness in software security.

CVE-2024-9487 - CRITICAL Severity | CVSS 9.1

Vulnerability Description

An improper verification of cryptographic signature vulnerability was identified in GitHub Enterprise Server that allowed SAML SSO authentication to be bypassed resulting in unauthorized provisioning of users and access to the instance. Exploitation required the encrypted assertions feature to be enabled, and the attacker would require direct network access as well as a signed SAML response or metadata document. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.15 and was fixed in versions 3.11.16, 3.12.10, 3.13.5, and 3.14.2. This vulnerability was reported via the GitHub Bug Bounty program.

Related Vulnerabilities

CVE-2019-20597

CRITICAL

CVSS:9.1(Critical)

An issue was discovered on Samsung mobile devices with N(7.1), O(8.x), and P(9.0) software. SPENgesture allows arbitrary applications to read or modify user-input logs. The Samsung ID is SVE-2019-1417...

CWE-3472019

CVE-2020-12676

CRITICAL

CVSS:9.1(Critical)

FusionAuth fusionauth-samlv2 0.2.3 allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a "Signature exclusion attack".

CWE-3472020

CVE-2020-9753

CRITICAL

CVSS:9.1(Critical)

Whale Browser Installer before 1.2.0.5 versions don't support signature verification for Flash installer.

CWE-3472020

CVE-2021-29451

CRITICAL

CVSS:9.1(Critical)

Portofino is an open source web development framework. Portofino before version 5.2.1 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT. The issue will be patch...

CWE-3472021

CVE-2021-30246

CRITICAL

CVSS:9.1(Critical)

In the jsrsasign package through 10.1.13 for Node.js, some invalid RSA PKCS#1 v1.5 signatures are mistakenly recognized to be valid. NOTE: there is no known practical attack.

CWE-3472021

CVE-2023-34205

CRITICAL

CVSS:9.1(Critical)

In Moov signedxml through 1.0.0, parsing the raw XML (as received) can result in different output than parsing the canonicalized XML. Thus, signature validation can be bypassed via a Signature Wrappin...

CWE-3472023