GitHub revealed that it has rotated some keys in response to a security vulnerability that could be exploited to access credentials within production containers.
The Microsoft-owned subsidiary became aware of the issue on December 26, 2023 and addressed the issue on the same day, in addition to rotating all potentially exposed credentials out of an abundance of caution. said.
The rotated keys include GitHub commit signing keys, as well as GitHub Actions, GitHub Codespaces, and Dependabot customer encryption keys, so users who rely on these keys must import new keys.
There is no evidence that high severity vulnerabilities were tracked as follows: CVE-2024-0200 (CVSS score: 7.2) has been previously discovered and exploited in the wild.
“This vulnerability also exists in GitHub Enterprise Server (GHES),” said GitHub’s Jacob DePriest. Said. “However, exploitation requires an authenticated user. Organization owner role You will need to log into your account on the GHES instance, which is an important set of mitigations for potential exploitation. ”
in Individual recommendations, GitHub characterizes this vulnerability as a case of “insecure reflection” GHES that could lead to reflection injection and remote code execution. Patched with GHES versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3.
GitHub also addresses other high-severity bugs tracked as follows: CVE-2024-0507 (CVSS score: 6.5). This could allow an attacker to access the Admin Console user’s account with the Editor role and escalate privileges via command injection.
The development comes nearly a year after the company took steps to replace RSA SSH host keys used to secure Git operations “out of an abundance of caution” after they were briefly exposed in a public repository. I did.