GitHub Rotates Keys After High-Severity Vulnerability Exposes Credentials

GitHub has revealed that it has rotated some keys in response to a security vulnerability that could be potentially exploited to gain access to credentials within a production container.

The Microsoft-owned subsidiary said it was made aware of the problem on December 26, 2023, and that it addressed the issue the same day, in addition to rotating all potentially exposed credentials out of an abundance of caution.

The rotated keys include the GitHub commit signing key as well as GitHub Actions, GitHub Codespaces, and Dependabot customer encryption keys, necessitating users who rely on these keys to import the new ones.

There is no evidence that the high-severity vulnerability, tracked as CVE-2024-0200 (CVSS score: 7.2), has been previously found and exploited in the wild.

“This vulnerability is also present on GitHub Enterprise Server (GHES),” GitHub’s Jacob DePriest said. “However, exploitation requires an authenticated user with an organization owner role to be logged into an account on the GHES instance, which is a significant set of mitigating circumstances to potential exploitation.”

In a separate advisory, GitHub characterized the vulnerability as a case of “unsafe reflection” GHES that could lead to reflection injection and remote code execution. It has been patched in GHES versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3.

Also addressed by GitHub is another high-severity bug tracked as CVE-2024-0507 (CVSS score: 6.5), which could permit an attacker with access to a Management Console user account with the editor role to escalate privileges via command injection.

The development comes nearly a year after the company took the step of replacing its RSA SSH host key used to secure Git operations “out of an abundance of caution” after it was briefly exposed in a public repository.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.