GitHub rotated some credentials after the discovery of a flaw that allowed access to the environment variables of a production container.
After GitHub became aware of a vulnerability through its bug bounty program, the Microsoft-owned company rotated some credentials.
The vulnerability, tracked as CVE-2024-0200 (CVSS score 7.2), allowed access to the environment variables of a production container and the company confirmed that all affected credentials have been rotated.
“On December 26, 2023, GitHub received a report through our Bug Bounty Program demonstrating a vulnerability which, if exploited, allowed access to credentials within a production container.” reads the announcement. “We fixed this vulnerability on GitHub.com the same day and began rotating all potentially exposed credentials.”
The vulnerability was reported on December 26, 2023, and the company addressed the flaw the same day.
The firm investigated the flaw and determined with high confidence that it had not been previously discovered and exploited. The rotation of credentials was conducted with an abundance of caution.
“Rotating credentials across our production systems caused a number of service disruptions between December 27 and 29. We recognize the impact these had on our customers that rely on GitHub and have improved our credential rotation procedures to reduce the risk of unplanned downtime going forward.” continues the announcement.
The issue also impacts Enterprise Server (GHES), but an authenticated user
This vulnerability is also present on GitHub Enterprise Server (GHES). However, a pre-requisite for the exploitation is that an authenticated user with an organization owner role is logged into an account on the GHES instance. The company addressed the issue in GHES versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3.
The rotated keys are used by customers to encrypt GitHub Actions, GitHub Codespaces, and Dependabot secrets before sending them to GitHub via the API to store for subsequent usage in the product.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, cybersecurity)