GitHub Takes Precautionary Measures Following Discovery of Credential-Exposing Flaw

January 16, 2024

GitHub has taken steps to address a vulnerability, identified as CVE-2024-0200, that could have allowed attackers to access credentials within production containers via environment variables. This vulnerability could have potentially allowed for remote code execution on servers that had not been updated with the latest security patches. GitHub has since patched this flaw in versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3 of GitHub Enterprise Server (GHES) and is urging all customers to install the security update as soon as possible.

The flaw could have allowed threat actors to gain access to environment variables of a production container, including credentials. However, successful exploitation would have required authentication with an organization owner role, which comes with admin access to the organization. Jacob DePriest, GitHub's VP and Deputy Chief Security Officer, stated, "On December 26, 2023, GitHub received a report through our Bug Bounty Program demonstrating a vulnerability which, if exploited, allowed access to credentials within a production container. We fixed this vulnerability on GitHub.com the same day and began rotating all potentially exposed credential."

GitHub has conducted a thorough investigation and believes with high confidence that this vulnerability has not been previously discovered and exploited. Despite the organization owner role requirement serving as a significant mitigating factor and the vulnerability's impact being limited to the researcher who discovered and reported it, GitHub still decided to rotate the credentials as a precautionary measure.

While most of the keys rotated by GitHub in December do not require any action on the part of the customers, those using GitHub's commit signing key and GitHub Actions, GitHub Codespaces, and Dependabot customer encryption keys will need to import the new public keys. DePriest added, "We strongly recommend regularly pulling the public keys from the API to ensure you're using the most current data from GitHub. This will also allow for seamless adoption of new keys in the future."

In addition to CVE-2024-0200, GitHub also addressed a second high-severity Enterprise Server command injection vulnerability, tracked as CVE-2024-0507, that could have allowed attackers with a Management Console user account and an editor role to escalate privileges. This is not the first instance of GitHub having to rotate or revoke exposed or stolen secrets in the past year. The company had previously rotated its GitHub.com private SSH key after it was accidentally exposed via a public GitHub repository, and it had to revoke code-signing certificates for its Desktop and Atom applications after they were stolen following a breach of the company's development and release planning repositories in December 2022.

Latest News

• Citrix Issues Urgent Warning for Two Actively Exploited Zero-Day Vulnerabilities
• Google Addresses First Actively Exploited Chrome Zero-Day Vulnerability of 2024
• Androxgh0st Malware Botnet Targets AWS and Microsoft Credentials: FBI and CISA Alert
• Critical Vulnerability in VMware Aria Automation Addressed: Immediate Update Recommended
• Critical RCE Vulnerability Found in Older Atlassian Confluence Versions