GitHub Fixed Critical CVE-2024-0200 Flaw in Enterprise Server

Recently, GitHub rectified a vulnerability, CVE-2024-0200, in its Enterprise Server. This flaw, associated with Unsafe Reflection, permitted malefactors to execute remote code on unprotected servers. It granted access to the environment variables of production containers, including credentials, but its exploitation required authentication with an organizational owner role and administrative access.

The first report of this security shortfall was received on December 26, 2023, through GitHub’s Bug Bounty Program. Upon receiving the report, the company promptly remedied the vulnerability and began updating all potentially compromised credentials. Jacob DePriest, Vice President and Deputy Chief of Security at GitHub expressed high confidence that hackers had not managed to exploit the breach for nefarious purposes.

As a precaution, GitHub also updated its access keys. While most do not require user intervention, those who use GitHub’s commit signing keys, as well as the encryption keys of GitHub Actions, Codespaces, and Dependabot clients, will need to manually import the new public keys. Overall, the company recommends regularly updating public keys through the API to ensure security and data currency.

Furthermore, GitHub also corrected another vulnerability in Enterprise Server (CVE-2024-0507), which allowed users with an editor role in the Management Console to elevate their privileges. The update is available for Enterprise Server versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3. The company advises not to delay the installation and to apply the patch as soon as feasible.