Security News GitHub rotates keys to mitigate impact of credential-exposing flaw

Gandalf_The_Grey

Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,256
GitHub rotated keys potentially exposed by a vulnerability patched in December that could let attackers access credentials within production containers via environment variables.

This unsafe reflection vulnerability (tracked as CVE-2024-0200) can allow attackers to gain remote code execution on unpatched servers.

It was also patched on Tuesday in GitHub Enterprise Server (GHES) versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3, with the company urging all customers to install the security update as soon as possible.

While allowing threat actors to gain access to environment variables of a production container, including credentials, successful exploitation requires authentication with an organization owner role (with admin access to the organization).
Although most of the keys rotated by GitHub in December require no customer action, those using GitHub's commit signing key and GitHub Actions, GitHub Codespaces, and Dependabot customer encryption keys will have to import the new public keys.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top