UBUNTU-CVE-2024-54132

Source
https://ubuntu.com/security/CVE-2024-54132
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-54132.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2024-54132
Related
Published
2024-12-04T16:15:00Z
Modified
2025-04-23T14:58:55Z
Summary
[none]
Details

The GitHub CLI is GitHub’s official command line tool. A security vulnerability has been identified in GitHub CLI that could create or overwrite files in unintended directories when users download a malicious GitHub Actions workflow artifact through gh run download. This vulnerability stems from a GitHub Actions workflow artifact named .. when downloaded using gh run download. The artifact name and --dir flag are used to determine the artifact’s download path. When the artifact is named .., the resulting files within the artifact are extracted exactly 1 directory higher than the specified --dir flag value. This vulnerability is fixed in 2.63.1.

References

Affected packages

Ubuntu:22.04:LTS / gh

Package

Name
gh
Purl
pkg:deb/ubuntu/gh@2.4.0+dfsg1-2?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.4.0+dfsg1-1
2.4.0+dfsg1-2

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.10 / gh

Package

Name
gh
Purl
pkg:deb/ubuntu/gh@2.46.0-1ubuntu0.2?arch=source&distro=oracular

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.45.0-1build1
2.46.0-1
2.46.0-1ubuntu0.2

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.04:LTS / gh

Package

Name
gh
Purl
pkg:deb/ubuntu/gh@2.45.0-1ubuntu0.2?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.27.0+dfsg1-1build1
2.30.0-2
2.35.0-1
2.40.1+dfsg1-1
2.42.1-1
2.43.1-1
2.44.1-1
2.44.1-2
2.45.0-1
2.45.0-1build1
2.45.0-1ubuntu0.1
2.45.0-1ubuntu0.2

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:25.04 / gh

Package

Name
gh
Purl
pkg:deb/ubuntu/gh@2.46.0-3?arch=source&distro=plucky

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.46.0-1
2.46.0-2
2.46.0-3

Ecosystem specific

{
    "ubuntu_priority": "medium"
}