CVE-2024-54132

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-54132

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-54132.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-54132

Aliases

Related

Published

2024-12-04T16:15:26Z

Modified

2025-01-15T05:45:24.245324Z

Downstream

openSUSE-SU-2024:14567-1

Summary

[none]

Details

The GitHub CLI is GitHub’s official command line tool. A security vulnerability has been identified in GitHub CLI that could create or overwrite files in unintended directories when users download a malicious GitHub Actions workflow artifact through gh run download. This vulnerability stems from a GitHub Actions workflow artifact named .. when downloaded using gh run download. The artifact name and --dir flag are used to determine the artifact’s download path. When the artifact is named .., the resulting files within the artifact are extracted exactly 1 directory higher than the specified --dir flag value. This vulnerability is fixed in 2.63.1.

References

Affected packages

Debian:12 / gh

Package

Name: gh
Purl: pkg:deb/debian/gh?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.23.0+dfsg1-1

2.24.3+dfsg1-1

2.27.0+dfsg1-1

2.30.0-1

2.30.0-2

2.35.0-1

2.40.1+dfsg1-1

2.42.1-1

2.43.1-1

2.44.1-1

2.44.1-2

2.45.0-1

2.46.0-1

2.46.0-2

2.46.0-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / gh

Package

Name: gh
Purl: pkg:deb/debian/gh?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.46.0-3

Affected versions

2.*

2.23.0+dfsg1-1

2.24.3+dfsg1-1

2.27.0+dfsg1-1

2.30.0-1

2.30.0-2

2.35.0-1

2.40.1+dfsg1-1

2.42.1-1

2.43.1-1

2.44.1-1

2.44.1-2

2.45.0-1

2.46.0-1

2.46.0-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/cli/cli

Affected ranges

Type: GIT
Repo: https://github.com/cli/cli
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

1136764c369aaf0cae4ec2ee09dc35d871076932

Affected versions

v0.*

v0.10.0

v0.10.1

v0.11.0

v0.11.1

v0.12.0

v0.4.0

v0.5.0

v0.5.1

v0.5.2

v0.5.3

v0.5.4

v0.5.5

v0.5.6

v0.5.7

v0.6.0

v0.6.1

v0.6.2

v0.6.3

v0.6.4

v0.7.0

v0.8.0

v0.9.0

v1.*

v1.0.0

v1.1.0

v1.10.0

v1.10.1

v1.10.2

v1.10.3

v1.11.0

v1.12.0

v1.12.1

v1.13.0

v1.13.1

v1.14.0

v1.2.0

v1.2.1

v1.3.0

v1.4.0

v1.5.0

v1.6.0

v1.6.1

v1.6.2

v1.7.0

v1.8.0

v1.8.1

v1.9.0

v1.9.1

v1.9.2

v2.*

v2.0.0

v2.1.0

v2.10.0

v2.10.1

v2.11.0

v2.11.1

v2.11.2

v2.11.3

v2.12.0

v2.12.1

v2.13.0

v2.14.0

v2.14.1

v2.14.2

v2.14.3

v2.14.4

v2.14.5

v2.14.6

v2.14.7

v2.15.0

v2.16.0

v2.16.1

v2.17.0

v2.18.0

v2.18.1

v2.19.0

v2.2.0

v2.20.0

v2.20.1

v2.20.2

v2.21.0

v2.21.1

v2.21.2

v2.22.0

v2.22.1

v2.23.0

v2.24.0

v2.24.1

v2.24.2

v2.24.3

v2.25.0

v2.25.1

v2.26.0

v2.26.1

v2.27.0

v2.29.0

v2.3.0

v2.30.0

v2.31.0

v2.32.0

v2.32.1

v2.33.0

v2.34.0

v2.35.0

v2.36.0

v2.37.0

v2.38.0

v2.39.0

v2.39.1

v2.39.2

v2.4.0

v2.40.0

v2.40.1

v2.41.0

v2.42.0

v2.42.1

v2.43.0

v2.43.1

v2.44.0

v2.44.1

v2.45.0

v2.46.0

v2.47.0

v2.48.0

v2.49.0

v2.49.1

v2.49.2

v2.5.0

v2.5.1

v2.5.2

v2.50.0

v2.51.0

v2.52.0

v2.53.0

v2.54.0

v2.55.0

v2.56.0

v2.57.0

v2.58.0

v2.59.0

v2.6.0

v2.60.0

v2.60.1

v2.61.0

v2.62.0

v2.63.0

v2.7.0

v2.8.0

v2.9.0