@jkakavas discovered a bug with the signature checking in GitHub Enterprise’s parsing of SAML responses. SAML uses cryptographic signatures to verify the authenticity of a SAML response. However, the signature validation logic was skipped due to a bug in our lookup of the public key associated with the SAML provider. This could have allowed an attacker to construct a SAML response that could arbitrarily set the authenticated user account.

We addressed the issue by fixing the bug related to the way we were looking up the SAML provider’s public key. In addition, we updated our test suite around this functionality and changed the signature validation logic to “fail closed” if a similar bug occurred in the future. This issue has been fixed in GitHub Enterprise 2.8.6, 2.7.10, 2.6.15, or 2.5.20 (version 2.4.X was not affected).