GitHub rotated keys potentially exposed by a vulnerability patched in December that could let attackers access credentials within production containers via environment variables.
This unsafe reflection vulnerability (tracked as
CVE-2024-0200) can allow attackers to gain remote code execution on unpatched servers.
It was also patched on Tuesday in GitHub Enterprise Server (GHES) versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3, with the company urging all customers to install the security update as soon as possible.
While allowing threat actors to gain access to environment variables of a production container, including credentials, successful exploitation requires authentication with an
organization owner role (with admin access to the organization).
