GitHub, the widely-used code hosting platform, has recently taken decisive action by rotating several critical keys, a move prompted by the discovery of a high-severity security flaw. This vulnerability, if exploited, could potentially allow unauthorized access to sensitive credentials within a production container.
The vulnerability was brought to GitHub’s attention on December 26, 2023, and the company, a subsidiary of Microsoft, responded promptly on the same day. The precautionary measures included not only addressing the vulnerability but also rotating all credentials that could have been potentially exposed.
Affected by this key rotation are several crucial elements: the GitHub commit signing key and the encryption keys for GitHub Actions, GitHub Codespaces, and Dependabot. Users who depend on these services are now required to update their systems with the newly issued keys.
Cybersecurity experts have been closely monitoring this issue, identified as CVE-2024-0200, which has a CVSS score of 7.2. Despite its high severity, there is no current evidence to suggest that this vulnerability was previously discovered or exploited in real-world scenarios.
Jacob DePriest of GitHub noted, “This vulnerability was also found in GitHub Enterprise Server (GHES). However, the conditions for exploiting it are quite stringent, requiring an authenticated organization owner to be logged into the GHES instance, significantly reducing the risk of exploitation.”
In addition to this, GitHub has resolved another high-severity bug, labeled CVE-2024-0507 (with a CVSS score of 6.5), which could allow an attacker with specific access to escalate privileges through command injection.
This proactive response from GitHub comes after their previous security update nearly a year ago, where they replaced their RSA SSH host key as a preventive measure following its brief exposure in a public repository.