Github has revealed information about vulnerabilities that allow access to the contents of variable environments set in containers used in the working infrastructure. The vulnerabilities, designated as CVE-2024-0200, were disclosed by a participant in Github’s BUG Bounty program who received remuneration for finding safety problems. The issue affects both the Github.com service and the Github Enterprise Server (Ghes) configurations performed on user systems. Read more
There are no traces of the vulnerability in the past, according to analysis of logs and infrastructure audits, except for the activity reported by the researcher. Nonetheless, the infrastructure has replaced all potentially compromised access and accounting keys as a precaution. This key replacement led to service disruptions from December 27 to 29. Github administrators have addressed errors made during the update of keys that could potentially affect customers.
In addition to key replacement, Github has also updated its GPG key used to certify the digital signature of Commits made through the web editor, when accepting Pull-strokes on the site, or through the Codespaces instrumentation. The new key has been in use since January 16, rendering the old key invalid. New commits signed by the old key will not be marked as proven starting from January 23.
On January 16, Github also updated the open keys used to encrypt data sent through the API at Github Actions, Github Codespaces, and Dependabot. Users are advised to ensure their keys are updated for local checks of commits to continue functioning after the key replacement. More details here
Github has already addressed the vulnerability on the Github.com website and has released Ghes versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3. It is possible to launch an attack on local GHES installations if the attacker has an account with organization management rights (Organization Owner).