GitHub has rotated encryption keys following the discovery of a vulnerability that could have enabled threat actors to steal credentials, the company revealed Tuesday.
The Microsoft-owned firm said it first became aware of the high-severity security flaw tracked as CVE-2024-0200 on 26 December 2023. After investigating the issue and verifying there was no evidence it had been exploited in attacks, GitHub moved swiftly to rotate potentially exposed keys the same day as a precautionary measure.
The keys rotated include GitHub’s commit signing key along with customer encryption keys used for sensitive services such as GitHub Actions, GitHub Codespaces, and Dependabot. Users relying on these keys will need to import the newly generated ones to avoid potential disruption.
While concerning, the vulnerability is mitigated by the need for an attacker to have an authenticated user account with organisation owner privileges logged into the targeted GitHub Enterprise Server instance, according to GitHub’s head of security Jacob DePriest.
There is no evidence so far that the flaw has been exploited outside of internal testing.
GitHub said “unsafe reflection” in GitHub Enterprise Server could lead to reflection injection and ultimately enable remote code execution in certain circumstances. The issue is fixed in recently released patched versions 3.8.13, 3.9.8, 3.10.5 and 3.11.3.
In addition to rotating keys, GitHub addressed another high-severity vulnerability this week that could have allowed elevation of privilege. Tracked as CVE-2024-0507, the command injection flaw only impacted GitHub Enterprise Server Management Console users with editor role privileges.
(Photo by Farhan Azam on Unsplash)
See also: Open source wins concessions in new EU cyber law
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with IoT Tech Expo and Digital Transformation Week.
Additionally, the upcoming Cloud Transformation Conference is a free virtual event for business and technology leaders to explore the evolving landscape of cloud transformation. Book your free virtual ticket to explore the practicalities and opportunities surrounding cloud adoption.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.