GHSA-55v3-xh23-96gh

Suggest an improvement
Source
https://github.com/advisories/GHSA-55v3-xh23-96gh
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-55v3-xh23-96gh/GHSA-55v3-xh23-96gh.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-55v3-xh23-96gh
Aliases
  • CVE-2024-53859
Published
2024-11-27T21:43:03Z
Modified
2024-12-02T18:03:41Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L CVSS Calculator
Summary
`auth.TokenForHost` violates GitHub host security boundary when sourcing authentication token within a codespace
Details

Summary

A security vulnerability has been identified in go-gh that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace.

Details

go-gh sources authentication tokens from different environment variables depending on the host involved:

  • GITHUB_TOKEN, GH_TOKEN for GitHub.com and ghe.com
  • GITHUB_ENTERPRISE_TOKEN, GH_ENTERPRISE_TOKEN for GitHub Enterprise Server

Prior to 2.11.1, auth.TokenForHost could source a token from the GITHUB_TOKEN environment variable for a host other than GitHub.com or ghe.com when within a codespace.

In 2.11.1, auth.TokenForHost will only source a token from the GITHUB_TOKEN environment variable for GitHub.com or ghe.com hosts.

Impact

Successful exploitation could send authentication token to an unintended host.

Remediation and mitigation

  1. Upgrade go-gh to 2.11.1
  2. Advise extension users to regenerate authentication tokens:
  3. Advise extension users to review their personal security log and any relevant audit logs for actions associated with their account or enterprise
Database specific
{
    "nvd_published_at": "2024-11-27T22:15:05Z",
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-27T21:43:03Z"
}
References

Affected packages

Go / github.com/cli/go-gh/v2

Package

Name
github.com/cli/go-gh/v2
View open source insights on deps.dev
Purl
pkg:golang/github.com/cli/go-gh/v2

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.11.1

Database specific

{
    "last_known_affected_version_range": "<= 2.11.0"
}