GitHub Enterprise – 3.14.3

Please note this list of changes is not exhaustive, but has been curated to changes which affect users of the NC State GitHub service.

A full list of changes can be found on the official GitHub Enterprise 3.14 Release Notes.

Security fixes

• Elasticsearch packages have been updated to the latest security versions.
• Packages have been updated to the latest security version.
• HIGH: An attacker could bypass SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, allowing unauthorized provisioning of users and access to the instance, by exploiting an improper verification of cryptographic signatures vulnerability in GitHub Enterprise Server. This is a follow up fix for CVE-2024-9487 to further harden the encrypted assertions feature against this type of attack. Please note that encrypted assertions are not enabled by default. Instances not utilizing SAML SSO, or utilizing SAML SSO authentication without encrypted assertions, are not impacted. Additionally, an attacker would require direct network access as well as a signed SAML response or metadata document to exploit this vulnerability.
• HIGH: An attacker could achieve container escape and privilege escalation to root by exploiting a path collision and arbitrary code execution via the ghe-firejail path. GitHub has requested CVE ID CVE-2024-10007 for this vulnerability, which was reported via the GitHub Bug Bounty program.