GitHub Takes Precautionary Measures Following Discovery of Credential-Exposing Flaw

January 16, 2024

GitHub has taken steps to address a vulnerability, identified as CVE-2024-0200, that could have allowed attackers to access credentials within production containers via environment variables. This vulnerability could have potentially allowed for remote code execution on servers that had not been updated with the latest security patches. GitHub has since patched this flaw in versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3 of GitHub Enterprise Server (GHES) and is urging all customers to install the security update as soon as possible.

The flaw could have allowed threat actors to gain access to environment variables of a production container, including credentials. However, successful exploitation would have required authentication with an organization owner role, which comes with admin access to the organization. Jacob DePriest, GitHub's VP and Deputy Chief Security Officer, stated, "On December 26, 2023, GitHub received a report through our Bug Bounty Program demonstrating a vulnerability which, if exploited, allowed access to credentials within a production container. We fixed this vulnerability on the same day and began rotating all potentially exposed credential."

GitHub has conducted a thorough investigation and believes with high confidence that this vulnerability has not been previously discovered and exploited. Despite the organization owner role requirement serving as a significant mitigating factor and the vulnerability's impact being limited to the researcher who discovered and reported it, GitHub still decided to rotate the credentials as a precautionary measure.

While most of the keys rotated by GitHub in December do not require any action on the part of the customers, those using GitHub's commit signing key and GitHub Actions, GitHub Codespaces, and Dependabot customer encryption keys will need to import the new public keys. DePriest added, "We strongly recommend regularly pulling the public keys from the API to ensure you're using the most current data from GitHub. This will also allow for seamless adoption of new keys in the future."

In addition to CVE-2024-0200, GitHub also addressed a second high-severity Enterprise Server command injection vulnerability, tracked as CVE-2024-0507, that could have allowed attackers with a Management Console user account and an editor role to escalate privileges. This is not the first instance of GitHub having to rotate or revoke exposed or stolen secrets in the past year. The company had previously rotated its private SSH key after it was accidentally exposed via a public GitHub repository, and it had to revoke code-signing certificates for its Desktop and Atom applications after they were stolen following a breach of the company's development and release planning repositories in December 2022.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.