On September 28, 2021, Azure DevOps was notified by Axosoft of a vulnerability in a dependency of their popular git GUI client – GitKraken. This vulnerability led to the GitKraken client generating insecure SSH keys.
In response to this disclosure, we conducted a security investigation of the reported vulnerability and identified a small set of users across our service with potentially insecure SSH keys generated through affected versions of GitKraken.
We revoked all the affected SSH keys generated through affected versions of GitKraken on 10/11/2021. We will also directly inform those individuals whose SSH keys were revoked within the next 24 hours.
If you do not receive an email notification from Azure DevOps about this issue, we have no evidence you were impacted by this vulnerability. However, as a good security precaution, we recommend that you remove the SSH public keys you added to Azure DevOps and add a new one. For information on how to do this, please see the how-to steps here.
For more information regarding this issue please visit GitKraken’s blogpost regarding the issue here
For questions related to GitKraken, please contact their support team at support@gitkraken.com.
For questions related to Azure DevOps, feel free to reach out to us through the Azure DevOps Developer Community Channel.
Is it possible for Project Collection Administrators to revoke SSH keys of others users? We would like to clear SSH keys in our org as a precaution but do not want to rely on the users themselves needing to do this.