Code hosting platform GitHub on Tuesday announced that it has rotated credentials after learning that a vulnerability impacting GitHub.com and GitHub Enterprise Server could expose login information.
The Microsoft-owned platform received the vulnerability report on December 26, 2023, and took immediate action to address the issue and revoke potentially exposed credentials, which led to disruptions between December 27 and 29.
The security defect, which allowed access to credentials within a production container, had no impact beyond the security researcher who identified and reported it, but the platform’s security protocols call for rotating credentials exposed to third-parties.
“After running a full investigation, we assess with high confidence, based on the uniqueness of this issue and analysis of our telemetry and logging, that this vulnerability has not been previously found and exploited,” GitHub says.
The flaw was resolved on GitHub.com on the same day that the vulnerability report was received via HackerOne and patches were released on Tuesday for GitHub Enterprise Server (GHES) versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3.
Exploitation of the vulnerability in GHES requires that the attacker is logged in as an organization owner, “which is a significant set of mitigating circumstances to potential exploitation,” the platform notes.
While most of the credential rotations are part of GitHub’s normal operations, some of the keys that are being revoked may require action from users, the code sharing service says.
The private GitHub GPG commit signing key, which is employed for signing commits created on GitHub, was rotated on January 16 and newly uploaded commits that are not signed with the new key are no longer shown as verified.
“If you verify GitHub.com commits outside of GitHub, including for verification in GHES, you will need to import our new public key hosted here. We strongly recommend regularly pulling the public key to ensure you’re using the most current data from GitHub. This will also allow for seamless adoption of new keys in the future,” the platform notes.
By January 23, all users with a GitHub Codespace with commit signing enabled who have not pushed commits created before January 16 from the codespace to the GitHub repository will have to push them, otherwise they will no longer be marked as verified unless they are resigned.
GitHub Actions, GitHub Codespaces, and Dependabot customer encryption keys are also affected by the rotation. Users who cached or hardcoded the related public keys will need to pull the keys from the API to get the most recent ones.
Related: Stolen GitHub Credentials Used to Push Fake Dependabot Commits
Related: GitHub Rotates Publicly Exposed RSA SSH Private Key
Related: Attackers Can Abuse GitHub Codespaces for Malware Delivery
