A security vulnerability has been identified in go-gh
that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace.
go-gh
sources authentication tokens from different environment variables depending on the host involved:
GITHUB_TOKEN
, GH_TOKEN
for GitHub.com and ghe.comGITHUB_ENTERPRISE_TOKEN
, GH_ENTERPRISE_TOKEN
for GitHub Enterprise ServerPrior to 2.11.1
, auth.TokenForHost
could source a token from the GITHUB_TOKEN
environment variable for a host other than GitHub.com or ghe.com when within a codespace.
In 2.11.1
, auth.TokenForHost
will only source a token from the GITHUB_TOKEN
environment variable for GitHub.com or ghe.com hosts.
Successful exploitation could send authentication token to an unintended host.
go-gh
to 2.11.1
{ "nvd_published_at": "2024-11-27T22:15:05Z", "cwe_ids": [ "CWE-200" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-11-27T21:43:03Z" }