GitHub has recently disclosed the rotation of certain keys as a precautionary measure in response to a security vulnerability that posed potential risks of unauthorized access to credentials within a production container.
According to the Microsoft-owned subsidiary, the issue came to their attention on December 26, 2023. They promptly addressed the problem on the same day and rotated all conceivably compromised credentials as a proactive measure.
The rotated keys encompass various crucial aspects such as the GitHub commit signing key, GitHub Actions, GitHub Codespaces, and Dependabot customer encryption keys. Consequently, users relying on these keys are advised to import the updated versions.
Despite the severity of the vulnerability, identified as CVE-2024-0200 with a CVSS score of 7.2, there is no indication of it being previously exploited in the wild. GitHub’s Jacob DePriest emphasized that while the vulnerability also affects GitHub Enterprise Server (GHES), exploitation necessitates an authenticated user with an organization owner role logged into an account on the GHES instance, thereby mitigating potential risks significantly.
Additionally, GitHub addressed another critical bug, tracked as CVE-2024-0507 with a CVSS score of 6.5, which could allow an attacker with access to a Management Console user account with the editor role to elevate privileges through command injection.
These measures follow a previous incident where GitHub replaced its RSA SSH host key, used for securing Git operations, due to brief exposure in a public repository, demonstrating the company’s commitment to proactive security measures.