CVE-2024-53859 go-gh `auth.TokenForHost` violates GitHub host security boundary within a codespace

🗓️ 27 Nov 2024 21:25:12Reported by GitHub_MType

`CVE-2024-53859 go-gh `auth.TokenForHost` vulnerability leaking GitHub auth tokens within codespace. Upgrade to version 2.11.1

Reporter	Title	Published	Views	Family All 47
Tenable Nessus	Azure Linux 3.0 Security Update: gh (CVE-2024-53859)	22 Jan 202600:00	–	nessus
Tenable Nessus	Ubuntu 24.04 LTS / 24.10 : go-gh vulnerability (USN-7362-1)	20 Mar 202500:00	–	nessus
Tenable Nessus	Linux Distros Unpatched Vulnerability : CVE-2024-53859	6 Mar 202500:00	–	nessus
CBLMariner	CVE-2024-53859 affecting package gh for versions less than 2.62.0-1	12 Dec 202401:02	–	cbl_mariner
Chainguard	CVE-2024-53859 vulnerabilities	27 Nov 202422:15	–	cgr
Circl	CVE-2024-53859	27 Nov 202421:48	–	circl
CNNVD	go-gh 信息泄露漏洞	27 Nov 202400:00	–	cnnvd
CVE	CVE-2024-53859	27 Nov 202421:25	–	cve
Debian CVE	CVE-2024-53859	27 Nov 202421:25	–	debiancve
EUVD	EUVD-2024-3396	3 Oct 202520:07	–	euvd

[
  {
    "vendor": "cli",
    "product": "go-gh",
    "versions": [
      {
        "version": "< 2.11.1",
        "status": "affected"
      }
    ]
  }
]

Source	Link
docs	www.docs.github.com/en/authentication/keeping-your-account-and-data-secure/reviewing-your-security-log
github	www.github.com/cli/go-gh/security/advisories/GHSA-55v3-xh23-96gh
docs	www.docs.github.com/en/apps/using-github-apps/reviewing-and-revoking-authorization-of-github-apps
github	www.github.com/cli/go-gh/blob/71770357e0cb12867d3e3e288854c0aa09d440b7/pkg/auth/auth.go
docs	www.docs.github.com/en/enterprise-cloud@latest/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens
docs	www.docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token

27 Nov 2024 21:25Current

CVSS 3.16.5

EPSS0.00523

CWE-200