Unauthorized access to Codespace secrets in GitHub
Published Mon, Mar 6th, 2023
Platforms
Summary
A vulnerability in GitHub's Repository Security Advisory feature allowed unauthorized users to access plaintext Codespace secrets of any organization, including GitHub itself. The issue stemmed from the new beta feature that allows external users to report vulnerabilities to public repositories, inadvertently granting access to sensitive organization-level secrets.
Affected Services
GitHub Codespaces, GitHub Repository Security Advisory
Remediation
None required
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/sshayb
Entry Status
Finalized
Disclosure Date
Fri, Dec 30th, 2022
Exploitability Period
Until 2022/12/31
Known ITW Exploitation
-
Detection Methods
Organizations should review their GitHub Codespace secrets and ensure that no unauthorized access has occurred. Additionally, they should monitor for any suspicious activity related to their GitHub repositories and Codespace environments.
Piercing Index Rating
-
Discovered by
Rojan Rijal, Ophion Security
