GitHub Rotates Keys After High-Severity Vulnerability Exposes Credentials

GitHub Rotates Keys After High-Severity Vulnerability Exposes Credentials

GitHub has revealed that it has rotated some keys in response to a security vulnerability that could be potentially exploited to gain access to credentials within a production container.

The Microsoft-owned subsidiary said it was made aware of the problem on December 26, 2023, and that it addressed the issue the same day, in addition to rotating all potentially exposed credentials out of an abundance of caution.

There is no evidence that the high-severity vulnerability, tracked as CVE-2024-0200 (CVSS score: 7.2), has been previously found and exploited in the wild.

“This vulnerability is also present on GitHub Enterprise Server (GHES),” GitHub’s Jacob DePriest said. “However, exploitation requires an authenticated user with an organization owner role to be logged into an account on the GHES instance, which is a significant set of mitigating circumstances to potential exploitation.”

In a separate advisory, GitHub characterized the vulnerability as a case of “unsafe reflection” GHES that could lead to reflection injection and remote code execution. It has been patched in GHES versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3.

The development comes nearly a year after the company took the step of replacing its RSA SSH host key used to secure Git operations “out of an abundance of caution” after it was briefly exposed in a public repository.