Cryptographic Signature Spoofing Vulnerability in GitHub Enterprise Server
CVE-2025-23369

6.1MEDIUM

Key Information:

Vendor
Github
Status
Enterprise Server
Vendor
CVE Published:
21 January 2025

Summary

An improper verification of cryptographic signature vulnerability was discovered in GitHub Enterprise Server, which permits unauthorized internal users to spoof signatures. This flaw affects all versions prior to 3.12.14, 3.13.10, 3.14.7, 3.15.2, and 3.16.0, notably impacting instances not employing SAML single sign-on. The report highlights the managing risk associated with internal threats and emphasizes the importance of updating affected systems to mitigate potential exploitation.

Affected Version(s)

Enterprise Server 3.12.0 <= 3.12.13

Enterprise Server 3.13.0 <= 3.13.9

Enterprise Server 3.14.0 <= 3.14.6

References

https://docs.github.com/en/[email protected]/admin/r...
https://docs.github.com/en/[email protected]/admin/r...
https://docs.github.com/en/[email protected]/admin/r...

CVSS V4

Score:
6.1
Severity:
MEDIUM
Confidentiality:
High
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

hakivvi
.