Inspecting the Source of Go Modules

Go has indisputably the best package integrity story of any programming language ecosystem. The Go Checksum Database guarantees that every Go client in the world is using the same source for a given Go module and version, forever. It works despite the decentralized nature of Go modules, which can...

Trust Boundary Violation

Overview Affected versions of this package are vulnerable to Trust Boundary Violation due to the Browse method using URLs provided through API responses from authenticated GitHub hosts when users execute gh commands. An attacker in control of a malicious GitHub server can execute arbitrary comman...

Authentication Token Leakage

github.com/cli/go-gh is vulnerable to authentication token leakage. The vulnerability is due to improper handling of authentication tokens, where auth.TokenForHost could source a token from the GITHUBTOKEN environment variable for non-GitHub hosts within a codespace...

GO-2024-3296 Recursive repository cloning can leak authentication tokens to non-GitHub submodule hosts in github.com/cli/cli

Recursive repository cloning can leak authentication tokens to non-GitHub submodule hosts in github.com/cli/cli...

AZL-53477 CVE-2024-53858 affecting package gh for versions less than 2.62.0-5

The gh cli is GitHub’s official command line tool. A security vulnerability has been identified in the GitHub CLI that could leak authentication tokens when cloning repositories containing git submodules hosted outside of GitHub.com and ghe.com. This vulnerability stems from several gh commands...

AZL-53759 CVE-2024-53858 affecting package gh for versions less than 2.13.0-24

The gh cli is GitHub’s official command line tool. A security vulnerability has been identified in the GitHub CLI that could leak authentication tokens when cloning repositories containing git submodules hosted outside of GitHub.com and ghe.com. This vulnerability stems from several gh commands...

UBUNTU-CVE-2024-53858

The gh cli is GitHub’s official command line tool. A security vulnerability has been identified in the GitHub CLI that could leak authentication tokens when cloning repositories containing git submodules hosted outside of GitHub.com and ghe.com. This vulnerability stems from several gh commands...

CVE-2024-53858

CVE-2024-53858 affects the gh CLI (GitHub CLI) and can leak authentication tokens when cloning repositories that contain git submodules hosted outside GitHub.com/ghe.com. The root cause is that certain gh commands (e.g., gh repo clone, gh repo fork, gh pr checkout) invoke git in a way that retrie...

CVE-2024-53859 go-gh `auth.TokenForHost` violates GitHub host security boundary within a codespace

go-gh is a Go module for interacting with the gh utility and the GitHub API from the command line. A security vulnerability has been identified in go-gh that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace. go-gh sources authentication tokens...

CVE-2024-53859 go-gh `auth.TokenForHost` violates GitHub host security boundary within a codespace

go-gh is a Go module for interacting with the gh utility and the GitHub API from the command line. A security vulnerability has been identified in go-gh that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace. go-gh sources authentication tokens...

PT-2024-35956

Name of the Vulnerable Software and Affected Versions: go-gh versions prior to 2.11.1 Description: A security issue has been identified in go-gh that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace. go-gh sources authentication tokens from...

go-gh 信息泄露漏洞

go-gh is a collection of Go modules open sourced from the GitHub CLI. It is used to interact with gh and GitHub APIs from the command line. An information disclosure vulnerability exists in go-gh versions prior to 2.11.1, which stems from the possibility of disclosing authentication tokens used f...