GitHub Rotates Keys After High-Severity Vulnerability Exposes Credentials

We Keep you Connected

GitHub Rotates Keys After High-Severity Vulnerability Exposes Credentials

GitHub has revealed that it has rotated some keys in response to a security vulnerability that could be potentially exploited to gain access to credentials within a production container.
The Microsoft-owned subsidiary said it was made aware of the problem on December 26, 2023, and that it addressed the issue the same day, in addition to rotating all potentially exposed credentials out of an abundance of caution.
The rotated keys include the GitHub commit signing key as well as GitHub Actions, GitHub Codespaces, and Dependabot customer encryption keys, necessitating users who rely on these keys to import the new ones.
There is no evidence that the high-severity vulnerability, tracked as CVE-2024-0200 (CVSS score: 7.2), has been previously found and exploited in the wild.
“This vulnerability is also present on GitHub Enterprise Server (GHES),” GitHub’s Jacob DePriest said. “However, exploitation requires an authenticated user with an organization owner role to be logged into an account on the GHES instance, which is a significant set of mitigating circumstances to potential exploitation.”
In a separate advisory, GitHub characterized the vulnerability as a case of “unsafe reflection” GHES that could lead to reflection injection and remote code execution. It has been patched in GHES versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3.
Also addressed by GitHub is another high-severity bug tracked as CVE-2024-0507 (CVSS score: 6.5), which could permit an attacker with access to a Management Console user account with the editor role to escalate privileges via command injection.
The development comes nearly a year after the company took the step of replacing its RSA SSH host key used to secure Git operations “out of an abundance of caution” after it was briefly exposed in a public repository.
Report: Unveiling the Threat of Malicious Browser Extensions
Download the Report to learn the Risks of Malicious Extensions and How to Mitigate Them.
Firewalls vs. Zero Trust: Minimize Your Attack Surface
Learn latest trends in the attack landscape, attacker strategies, and how to implement Zero Trust Security.
Key findings from a study of 493 companies: what worked, what didn’t. Apply insights to your SaaS strategy in 2024.
Firewalls & VPNs can’t keep up. Discover how Zero Trust minimizes risks. Join our webinar with Zscaler & revolutionize your security strategy.
Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips.

source

GET THE LATEST UPDATES, OFFERS, INFORMATION & MORE