Representatives from GitHub Security has announced the rotation of private keys potentially exposed by a newly discovered vulnerability, which was previously patched in December of 2023, that could let attackers access credentials within private production containers via environment variables.
The rotated keys include the GitHub commit signing key as well as GitHub Actions, GitHub Codespaces, and Dependabot customer encryption keys, necessitating users who rely on these keys to import the new ones.
The vulnerability, tracked as CVE-2024-0200, can allow attackers to gain remote code execution on unpatched servers. The vulnerability was patched in GitHub Enterprise Server versions 3.8.13, 3.9.8 3.10.5, and 3.11.3, and GitHub encourages users to install the relevant security update as soon as possible.
Community Threat Assessment
Due to the available security updates for a variety of GitHub products, the RH-ISAC intelligence team assesses that the reissuing of new private keys presents a low threat for organizations that utilize GitHub products who prioritize patching for CVE-2024-0200 in a timely manner. This discovery comes as several different threats affect several technological components of separate GitHub and GitLab systems, such as the GitHub CI/CD Attack vector discovery, and the discovery of several critical vulnerabilities in GitLab. Still, the RH-ISAC intelligence team recommends members upgrade relevant systems where necessary and reissue new keys where applicable and store them in a secure manner.