GitHub revealed that it has rotated some keys in response to a security vulnerability that could be exploited to obtain credentials within production containers.
The Microsoft-owned subsidiary said it became aware of the issue on December 26, 2023 and fixed it the same day, in addition to rotating all potentially exposed credentials out of an abundance of caution.
Keys being rotated include GitHub commit signing keys and GitHub Actions, GitHub Codespaces, and Dependabot customer encryption keys, so users who rely on these keys will need to import new keys.
There is no evidence that the high-severity vulnerability CVE-2024-0200 (CVSS score: 7.2) has been previously discovered and exploited.
“This vulnerability also exists on GitHub Enterprise Server (GHES),” said GitHub’s Jacob DePriest. “However, exploiting this vulnerability requires an authenticated user with the Organization Owner role to log into an account on the GHES instance, which is an important set of mitigation circumstances for potential exploitation.”
In a separate advisory, GitHub described the vulnerability as a case of “unsafe reflection” GHES, which could lead to reflective injection and remote code execution. It has been patched in GHES versions 3.8.13, 3.9.8, 3.10.5 and 3.11.3.
GitHub also addressed another high-severity bug tracked as CVE-2024-0507 (CVSS score: 6.5), which could allow an attacker with access to an Admin console user account with the Editor role to pass a command Inject to escalate privileges.
Nearly a year ago, the company took the step to replace the RSA SSH host keys used to protect Git operations “out of an abundance of caution” after it was briefly exposed in a public repository.
