CVE-2024-53859

go-gh is a Go module for interacting with the gh utility and the GitHub API from the command line. A security vulnerability has been identified in go-gh that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace. go-gh sources authentication tokens...

CVE-2024-53859

The CVE-2024-53859 issue affects the go-gh Go module used to interact with gh and GitHub, where auth.TokenForHost could pull a token from GITHUB_TOKEN (or GH_TOKEN) for non‑GitHub hosts when running in a codespace prior to version 2.11.1. In 2.11.1, token sourcing is restricted to GitHub.com or g...

PT-2024-35956

Name of the Vulnerable Software and Affected Versions: go-gh versions prior to 2.11.1 Description: A security issue has been identified in go-gh that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace. go-gh sources authentication tokens from...

SUSE CVE-2024-52308

The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using gh codespace ssh or gh codespace logs commands. This has been patched in the cli v2.62.0. Developers connect to remote codespaces through an SSH server running with...

AZL-53217 CVE-2024-52308 affecting package gh for versions less than 2.62.0-1

The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using gh codespace ssh or gh codespace logs commands. This has been patched in the cli v2.62.0. Developers connect to remote codespaces through an SSH server running with...

DEBIAN-CVE-2024-52308

The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using gh codespace ssh or gh codespace logs commands. This has been patched in the cli v2.62.0. Developers connect to remote codespaces through an SSH server running with...

UBUNTU-CVE-2024-52308

The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using gh codespace ssh or gh codespace logs commands. This has been patched in the cli v2.62.0. Developers connect to remote codespaces through an SSH server running with...

Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer

Summary A security vulnerability has been identified in GitHub CLI that could allow remote code execution RCE when users connect to a malicious Codespace SSH server and use the gh codespace ssh or gh codespace logs commands. Details The vulnerability stems from the way GitHub CLI handles SSH...