UBUNTU-CVE-2024-53859

Source
https://ubuntu.com/security/CVE-2024-53859
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-53859.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2024-53859
Related
  • CVE-2024-53859
Published
2024-11-27T22:15:00Z
Modified
2024-12-06T04:30:45Z
Summary
[none]
Details

go-gh is a Go module for interacting with the gh utility and the GitHub API from the command line. A security vulnerability has been identified in go-gh that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace. go-gh sources authentication tokens from different environment variables depending on the host involved: 1. GITHUB_TOKEN, GH_TOKEN for GitHub.com and ghe.com and 2. GITHUB_ENTERPRISE_TOKEN, GH_ENTERPRISE_TOKEN for GitHub Enterprise Server. Prior to version 2.11.1, auth.TokenForHost could source a token from the GITHUB_TOKEN environment variable for a host other than GitHub.com or ghe.com when within a codespace. In version 2.11.1, auth.TokenForHost will only source a token from the GITHUB_TOKEN environment variable for GitHub.com or ghe.com hosts. Successful exploitation could send authentication token to an unintended host. This issue has been addressed in version 2.11.1 and all users are advised to upgrade. Users are also advised to regenerate authentication tokens and to review their personal security log and any relevant audit logs for actions associated with their account or enterprise.

References

Affected packages

Ubuntu:24.10 / golang-github-cli-go-gh-v2

Package

Name
golang-github-cli-go-gh-v2
Purl
pkg:deb/ubuntu/golang-github-cli-go-gh-v2?arch=src?distro=oracular

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.6.0-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.04:LTS / golang-github-cli-go-gh-v2

Package

Name
golang-github-cli-go-gh-v2
Purl
pkg:deb/ubuntu/golang-github-cli-go-gh-v2?arch=src?distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.0.0-2
2.3.0-1
2.4.0+git20231120.d32c104-1
2.5.0-1
2.6.0-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}