Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01NXYzLXhoMjMtOTZnaM4ABB4b
`auth.TokenForHost` violates GitHub host security boundary when sourcing authentication token within a codespace
Summary
A security vulnerability has been identified in go-gh that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace.
Details
go-gh sources authentication tokens from different environment variables depending on the host involved:
GITHUB_TOKEN,GH_TOKENfor GitHub.com and ghe.comGITHUB_ENTERPRISE_TOKEN,GH_ENTERPRISE_TOKENfor GitHub Enterprise Server
Prior to 2.11.1, auth.TokenForHost could source a token from the GITHUB_TOKEN environment variable for a host other than GitHub.com or ghe.com when within a codespace.
In 2.11.1, auth.TokenForHost will only source a token from the GITHUB_TOKEN environment variable for GitHub.com or ghe.com hosts.
Impact
Successful exploitation could send authentication token to an unintended host.
Remediation and mitigation
- Upgrade
go-ghto2.11.1 - Advise extension users to regenerate authentication tokens:
- Advise extension users to review their personal security log and any relevant audit logs for actions associated with their account or enterprise
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01NXYzLXhoMjMtOTZnaM4ABB4b
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 29 days ago
Updated: 14 days ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
EPSS Percentage: 0.00044
EPSS Percentile: 0.11764
Identifiers: GHSA-55v3-xh23-96gh, CVE-2024-53859
References:
- https://github.com/cli/go-gh/security/advisories/GHSA-55v3-xh23-96gh
- https://nvd.nist.gov/vuln/detail/CVE-2024-53859
- https://docs.github.com/en/apps/using-github-apps/reviewing-and-revoking-authorization-of-github-apps#reviewing-your-authorized-github-apps
- https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/reviewing-your-security-log
- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token
- https://docs.github.com/en/enterprise-cloud@latest/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens
- https://github.com/cli/go-gh/blob/71770357e0cb12867d3e3e288854c0aa09d440b7/pkg/auth/auth.go#L73-L77
- https://pkg.go.dev/vuln/GO-2024-3295
- https://github.com/advisories/GHSA-55v3-xh23-96gh
Blast Radius: 14.0
Affected Packages
go:github.com/cli/go-gh
Dependent packages: 434Dependent repositories: 143
Downloads:
Affected Version Ranges: < 2.11.1
No known fixed version
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.1.0, 0.1.1, 0.1.2, 1.0.0, 1.1.0, 1.2.0, 1.2.1
go:github.com/cli/go-gh/v2
Dependent packages: 346Dependent repositories: 32
Downloads:
Affected Version Ranges: <= 2.11.0
Fixed in: 2.11.1
All affected versions: 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.10.0, 2.11.0
All unaffected versions: 2.11.1