GitHub has revealed that it has rotated some keys in response to a security vulnerability that could possibly be doubtlessly exploited to realize entry to credentials inside a manufacturing container.
The Microsoft-owned subsidiary mentioned it was made conscious of the issue on December 26, 2023, and that it addressed the problem the identical day, along with rotating all doubtlessly uncovered credentials out of an abundance of warning.
The rotated keys embody the GitHub commit signing key in addition to GitHub Actions, GitHub Codespaces, and Dependabot buyer encryption keys, necessitating customers who depend on these keys to import the brand new ones.
There isn’t any proof that the high-severity vulnerability, tracked as CVE-2024-0200 (CVSS rating: 7.2), has been beforehand discovered and exploited within the wild.
“This vulnerability can be current on GitHub Enterprise Server (GHES),” GitHub’s Jacob DePriest mentioned. “Nevertheless, exploitation requires an authenticated person with a corporation proprietor position to be logged into an account on the GHES occasion, which is a major set of mitigating circumstances to potential exploitation.”
In a separate advisory, GitHub characterised the vulnerability as a case of “unsafe reflection” GHES that would result in reflection injection and distant code execution. It has been patched in GHES variations 3.8.13, 3.9.8, 3.10.5, and three.11.3.
Additionally addressed by GitHub is one other high-severity bug tracked as CVE-2024-0507 (CVSS rating: 6.5), which may allow an attacker with entry to a Administration Console person account with the editor position to escalate privileges through command injection.
The event comes almost a yr after the corporate took the step of changing its RSA SSH host key used to safe Git operations “out of an abundance of warning” after it was briefly uncovered in a public repository.
