Last year's SSH key leak forced the company to become more vigilant.
GitHub patched the Enterprise Server vulnerability CVE-2024-0200, related to Unsafe Reflection, which allowed attackers to execute remote code on unprotected servers. This vulnerability allowed access to the environment variables of the production container, including credentials, but its exploitation required authentication with the role of the owner of the organization with administrative access.
Information about this security flaw was first reported on December 26, 2023 via the Bug Bounty program on GitHub. After receiving the report, the company promptly fixed the vulnerability and started updating all potentially compromised credentials. Jacob DePrist, Vice President and deputy head of security at GitHub, expressed high confidence that hackers did not have time to exploit the breach for personal gain.
As a precaution, GitHub has also updated its access keys. Most of them do not require user action, but those who use GitHub commit signing keys, as well as GitHub Actions, Codespaces, and Dependabot client encryption keys, will need to import the new public keys manually. In general, the company recommends regularly updating public keys via the API to ensure data security and up-to-date.
In addition, yesterday GitHub also fixed another vulnerability in Enterprise Server (CVE-2024-0507), which allowed users with the editor role in the Management Console to increase their privileges. The update is available for Enterprise Server versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3. The company recommends that you do not delay the installation process and apply the patch as soon as possible.
GitHub patched the Enterprise Server vulnerability CVE-2024-0200, related to Unsafe Reflection, which allowed attackers to execute remote code on unprotected servers. This vulnerability allowed access to the environment variables of the production container, including credentials, but its exploitation required authentication with the role of the owner of the organization with administrative access.
Information about this security flaw was first reported on December 26, 2023 via the Bug Bounty program on GitHub. After receiving the report, the company promptly fixed the vulnerability and started updating all potentially compromised credentials. Jacob DePrist, Vice President and deputy head of security at GitHub, expressed high confidence that hackers did not have time to exploit the breach for personal gain.
As a precaution, GitHub has also updated its access keys. Most of them do not require user action, but those who use GitHub commit signing keys, as well as GitHub Actions, Codespaces, and Dependabot client encryption keys, will need to import the new public keys manually. In general, the company recommends regularly updating public keys via the API to ensure data security and up-to-date.
In addition, yesterday GitHub also fixed another vulnerability in Enterprise Server (CVE-2024-0507), which allowed users with the editor role in the Management Console to increase their privileges. The update is available for Enterprise Server versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3. The company recommends that you do not delay the installation process and apply the patch as soon as possible.
