GitHub rotated keys potentially exposed by a vulnerability patched in December that could let attackers access credentials within production containers via environment variables.
This unsafe reflection vulnerability can allow attackers to gain remote code execution on unpatched servers.
It was also patched on Tuesday in GitHub Enterprise Server versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3, with the company urging all customers to install the security update as soon as possible.
While allowing threat actors to gain access to environment variables of a production container, including credentials, successful exploitation requires authentication with an organization owner role.
Although most of the keys rotated by GitHub in December require no customer action, those using GitHub's commit signing key and GitHub Actions, GitHub Codespaces, and Dependabot customer encryption keys will have to import the new public keys.
GitHub also fixed a second high-severity Enterprise Server command injection vulnerability that would allow attackers using a Management Console user account with an editor role to escalate privileges.
This isn't the first time the company has had to rotate or revoke exposed or stolen secrets in the past year.
Months earlier, GitHub also had to revoke code-signing certificates for its Desktop and Atom applications after unknown attackers stole them after breaching the company's development and release planning repositories in December 2022.
PixieFail flaws impact PXE network boot in enterprise systems.
Atlassian warns of critical RCE flaw in older Confluence versions.
Critical SonicWall firewall patch not released for all devices.
Over 150k WordPress sites at takeover risk via vulnerable plugin.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 16 Jan 2024 22:20:10 +0000