GitHub rotates credentials following vulnerability discovery

GitHub rotates credentials following vulnerability discovery Ryan is a senior editor at TechForge Media with over a decade of experience covering the latest technology and interviewing leading industry figures. He can often be sighted at tech conferences with a strong coffee in one hand and a laptop in the other. If it's geeky, he’s probably into it. Find him on Twitter (@Gadget_Ry) or Mastodon (@gadgetry@techhub.social)


GitHub has rotated encryption keys following the discovery of a vulnerability that could have enabled threat actors to steal credentials, the company revealed Tuesday.  

The Microsoft-owned firm said it first became aware of the high-severity security flaw tracked as CVE-2024-0200 on 26 December 2023. After investigating the issue and verifying there was no evidence it had been exploited in attacks, GitHub moved swiftly to rotate potentially exposed keys the same day as a precautionary measure.

The keys rotated include GitHub’s commit signing key along with customer encryption keys used for sensitive services such as GitHub Actions, GitHub Codespaces, and Dependabot. Users relying on these keys will need to import the newly generated ones to avoid potential disruption.

While concerning, the vulnerability is mitigated by the need for an attacker to have an authenticated user account with organisation owner privileges logged into the targeted GitHub Enterprise Server instance, according to GitHub’s head of security Jacob DePriest. 

There is no evidence so far that the flaw has been exploited outside of internal testing.

GitHub said “unsafe reflection” in GitHub Enterprise Server could lead to reflection injection and ultimately enable remote code execution in certain circumstances. The issue is fixed in recently released patched versions 3.8.13, 3.9.8, 3.10.5 and 3.11.3.  

In addition to rotating keys, GitHub addressed another high-severity vulnerability this week that could have allowed elevation of privilege. Tracked as CVE-2024-0507, the command injection flaw only impacted GitHub Enterprise Server Management Console users with editor role privileges.

(Photo by Farhan Azam on Unsplash)

See also: Open source wins concessions in new EU cyber law

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with IoT Tech Expo and Digital Transformation Week.

Additionally, the upcoming Cloud Transformation Conference is a free virtual event for business and technology leaders to explore the evolving landscape of cloud transformation. Book your free virtual ticket to explore the practicalities and opportunities surrounding cloud adoption.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: , , , , , , , , , ,

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *