GitHub Enterprise – 3.14.2

Please note this list of changes is not exhaustive, but has been curated to changes which affect users of the NC State GitHub service.

A full list of changes can be found on the official GitHub Enterprise 3.14 Release Notes.

Security fixes

MEDIUM: Malicious URLs for SVG assets provided information about a victim user who clicked the URL, allowing an attacker to retrieve metadata belonging to the user and use it to generate a convincing phishing page. This required the attacker to upload malicious SVGs and phish a victim user to click the URL for the uploaded asset. This vulnerability was reported via the GitHub Bug Bounty program.
HIGH: An attacker could bypass SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, allowing unauthorized provisioning of users and access to the instance, by exploiting an improper verification of cryptographic signatures vulnerability in GitHub Enterprise Server. This was a regression introduced as part of follow-up remediation from CVE-2024-4985, which resulted in a new variant of the vulnerability. Please note that encrypted assertions are not enabled by default. Instances not utilizing SAML SSO, or utilizing SAML SSO authentication without encrypted assertions, are not impacted. Additionally, an attacker would require direct network access as well as a signed SAML response or metadata document. GitHub has requested CVE ID CVE-2024-9487. This vulnerability was reported via the GitHub Bug Bounty program.

A missing configuration value would cause Dependabot to be unable to create group update pull requests.
An unhandled nil value when configuring Actions storage with AWS S3 via OIDC configuration in the terminal could cause an error.
Users were unable to sign out from gist pages.
Suspended users were not always correctly routed to the correct "suspended" page.
The "List teams" API endpoint returned duplicate results when paginating.
When managing the organization permissions required for fine-grained personal access tokens, for custom properties or projects, the Admin access level could not be selected.

Pre-receive hook environments can use the clone3() system call.
The creation, deletion, or change in visibility of a gist has been added to the audit log.