GitHub has revealed that it has rotated some keys in response to a security vulnerability that could potentially be exploited to gain access to credentials within a production container.
The Microsoft-owned subsidiary said it was made aware of the problem on December 26, 2023, and addressed the issue the same day, in addition to moving all potentially exposed credentials out of an abundance of caution.
The rotated keys include GitHub commit signing keys as well as GitHub Actions, GitHub Codespaces, and Dependabot client encryption keys, requiring users who trust these keys to import new keys.
There is no evidence that the high-severity vulnerability tracked as CVE-2024-0200 (CVSS score: 7.2) has been previously found and exploited in the wild.
“This vulnerability also exists on GitHub Enterprise Server (GHES),” said Jacob DePriest of GitHub. “However, the exploit requires an authenticated user with the organization owner role to be logged into an account on the GHES instance, a critical set of circumstances mitigating the potential exploit.”
In a separate advisory, GitHub described the vulnerability as a case of “insecure reflection” GHES that could lead to reflection injection and remote code execution. It has been patched in GHES versions 3.8.13, 3.9.8, 3.10.5 and 3.11.3.
Also addressed by GitHub is another high-severity bug tracked as CVE-2024-0507 (CVSS score: 6.5), which could permit an attacker with access to a Management Console user account with the editor role to escalate privileges via command injection.
The development comes nearly a year after the company took the step to replace its RSA SSH host key used to secure Git operations “out of an abundance of caution” after it was briefly exposed in a public repository.
