@soby of Freefly Security discovered a method to bypass signature checks within GitHub Enterprise’s parsing of SAML responses. SAML responses contain “Enveloped Signatures,” within a
Signature element, and the content of this signature data is not included in the calculation of the signature. @soby identified that by injecting a
Subject tag within this unsigned section of the response, it was possible to have our SAML implementation use unsigned data to determine which user account was authenticated. This attack would require the modification of a validly signed SAML response.
We fixed this issue by performing much stricter parsing of the received responses to ensure that all authentication data has been properly signed. This issue has been fixed in GitHub Enterprise 2.8.7, 2.7.11, 2.6.16, 2.5.21, and 2.4.23.