Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0ybTloLXI1N2ctNDVwas4ABCDS
Downloading malicious GitHub Actions workflow artifact results in path traversal vulnerability
Summary
A security vulnerability has been identified in GitHub CLI that could create or overwrite files in unintended directories when users download a malicious GitHub Actions workflow artifact through gh run download.
Details
This vulnerability stems from a GitHub Actions workflow artifact named .. when downloaded using gh run download. The artifact name and --dir flag are used to determine the artifact’s download path. When the artifact is named .., the resulting files within the artifact are extracted exactly 1 directory higher than the specified --dir flag value.
In 2.63.1, gh run download will not download artifacts named .. and . and instead exit with the following error message:
error downloading ..: would result in path traversal
Impact
Successful exploitation heightens the risk of local path traversal attack vectors exactly 1 directory higher than intended.
Remediation and Mitigation
- Upgrade
ghto2.63.1 - Implement additional validation to ensure artifact filenames do not contain potentially dangerous patterns, such as
.., to prevent path traversal risks.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0ybTloLXI1N2ctNDVwas4ABCDS
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 14 days ago
Updated: 13 days ago
EPSS Percentage: 0.00044
EPSS Percentile: 0.1207
Identifiers: GHSA-2m9h-r57g-45pj, CVE-2024-54132
References:
- https://github.com/cli/cli/security/advisories/GHSA-2m9h-r57g-45pj
- https://github.com/cli/cli/commit/1136764c369aaf0cae4ec2ee09dc35d871076932
- https://nvd.nist.gov/vuln/detail/CVE-2024-54132
- https://github.com/advisories/GHSA-2m9h-r57g-45pj
Blast Radius: 0.0
Affected Packages
go:github.com/cli/cli
Dependent packages: 58Dependent repositories: 36
Downloads:
Affected Version Ranges: <= 1.14.0
No known fixed version
All affected versions: 0.4.0, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.5.7, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.7.0, 0.8.0, 0.9.0, 0.10.0, 0.10.1, 0.11.0, 0.11.1, 0.12.0, 1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.4.0, 1.5.0, 1.6.0, 1.6.1, 1.6.2, 1.7.0, 1.8.0, 1.8.1, 1.9.0, 1.9.1, 1.9.2, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.11.0, 1.12.0, 1.12.1, 1.13.0, 1.13.1, 1.14.0
go:github.com/cli/cli/v2
Dependent packages: 196Dependent repositories: 25
Downloads:
Affected Version Ranges: < 2.63.1
Fixed in: 2.63.1
All affected versions: 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.10.0, 2.10.1, 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.12.0, 2.12.1, 2.13.0, 2.14.0, 2.14.1, 2.14.2, 2.14.3, 2.14.4, 2.14.5, 2.14.6, 2.14.7, 2.15.0, 2.16.0, 2.16.1, 2.17.0, 2.18.0, 2.18.1, 2.19.0, 2.20.0, 2.20.1, 2.20.2, 2.21.0, 2.21.1, 2.21.2, 2.22.0, 2.22.1, 2.23.0, 2.24.0, 2.24.1, 2.24.2, 2.24.3, 2.25.0, 2.25.1, 2.26.0, 2.26.1, 2.27.0, 2.28.0, 2.29.0, 2.30.0, 2.31.0, 2.32.0, 2.32.1, 2.33.0, 2.34.0, 2.35.0, 2.36.0, 2.37.0, 2.38.0, 2.39.0, 2.39.1, 2.39.2, 2.40.0, 2.40.1, 2.41.0, 2.42.0, 2.42.1, 2.43.0, 2.43.1, 2.44.0, 2.44.1, 2.45.0, 2.46.0, 2.47.0, 2.48.0, 2.49.0, 2.49.1, 2.49.2, 2.50.0, 2.51.0, 2.52.0, 2.53.0, 2.54.0, 2.55.0, 2.56.0, 2.57.0, 2.58.0, 2.59.0, 2.60.0, 2.60.1, 2.61.0, 2.62.0, 2.63.0
All unaffected versions: 2.63.1, 2.63.2