GitHub Rotates Keys After High-Severity Credential-Exposing Vulnerability Discovered

The rotated keys include the GitHub commit signing key as well as GitHub Actions, GitHub Codespaces, and Dependabot customer encryption keys
Github logo

Context

Representatives from GitHub Security has announced the rotation of private keys potentially exposed by a newly discovered vulnerability, which was previously patched in December of 2023, that could let attackers access credentials within private production containers via environment variables.

The rotated keys include the GitHub commit signing key as well as GitHub Actions, GitHub Codespaces, and Dependabot customer encryption keys, necessitating users who rely on these keys to import the new ones.

The vulnerability, tracked as CVE-2024-0200, can allow attackers to gain remote code execution on unpatched servers. The vulnerability was patched in GitHub Enterprise Server versions 3.8.13, 3.9.8 3.10.5, and 3.11.3, and GitHub encourages users to install the relevant security update as soon as possible.

Community Threat Assessment

Due to the available security updates for a variety of GitHub products, the RH-ISAC intelligence team assesses that the reissuing of new private keys presents a low threat for organizations that utilize GitHub products who prioritize patching for CVE-2024-0200 in a timely manner. This discovery comes as several different threats affect several technological components of separate GitHub and GitLab systems, such as the GitHub CI/CD Attack vector discovery, and the discovery of several critical vulnerabilities in GitLab. Still, the RH-ISAC intelligence team recommends members upgrade relevant systems where necessary and reissue new keys where applicable and store them in a secure manner.

More Recent Blog Posts

2024 RH-ISAC Cyber Intelligence Summit logo

Register for RH-ISAC Summit

Our biggest event of the year is coming up soon! Join RH-ISAC April 9-11 in Denver for our annual three-day conference featuring interactive, practitioner-led discussions, breakout sessions, and keynote presentations.