Connect with us

Hi, what are you looking for?



GitHub Rotates Credentials in Response to Vulnerability

GitHub rotates credentials and releases patches after being alerted of a vulnerability affecting and GitHub Enterprise Server.

Code hosting platform GitHub on Tuesday announced that it has rotated credentials after learning that a vulnerability impacting and GitHub Enterprise Server could expose login information.

The Microsoft-owned platform received the vulnerability report on December 26, 2023, and took immediate action to address the issue and revoke potentially exposed credentials, which led to disruptions between December 27 and 29.

The security defect, which allowed access to credentials within a production container, had no impact beyond the security researcher who identified and reported it, but the platform’s security protocols call for rotating credentials exposed to third-parties.

“After running a full investigation, we assess with high confidence, based on the uniqueness of this issue and analysis of our telemetry and logging, that this vulnerability has not been previously found and exploited,” GitHub says.

The flaw was resolved on on the same day that the vulnerability report was received via HackerOne and patches were released on Tuesday for GitHub Enterprise Server (GHES) versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3.

Exploitation of the vulnerability in GHES requires that the attacker is logged in as an organization owner, “which is a significant set of mitigating circumstances to potential exploitation,” the platform notes.

While most of the credential rotations are part of GitHub’s normal operations, some of the keys that are being revoked may require action from users, the code sharing service says.

The private GitHub GPG commit signing key, which is employed for signing commits created on GitHub, was rotated on January 16 and newly uploaded commits that are not signed with the new key are no longer shown as verified.

Advertisement. Scroll to continue reading.

“If you verify commits outside of GitHub, including for verification in GHES, you will need to import our new public key hosted here. We strongly recommend regularly pulling the public key to ensure you’re using the most current data from GitHub. This will also allow for seamless adoption of new keys in the future,” the platform notes.

By January 23, all users with a GitHub Codespace with commit signing enabled who have not pushed commits created before January 16 from the codespace to the GitHub repository will have to push them, otherwise they will no longer be marked as verified unless they are resigned.

GitHub Actions, GitHub Codespaces, and Dependabot customer encryption keys are also affected by the rotation. Users who cached or hardcoded the related public keys will need to pull the keys from the API to get the most recent ones.

Related: Stolen GitHub Credentials Used to Push Fake Dependabot Commits

Related: GitHub Rotates Publicly Exposed RSA SSH Private Key

Related: Attackers Can Abuse GitHub Codespaces for Malware Delivery

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.