Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wMmgyLTN2ZzktNHA4N84ABBW1
Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer
Summary
A security vulnerability has been identified in GitHub CLI that could allow remote code execution (RCE) when users connect to a malicious Codespace SSH server and use the gh codespace ssh or gh codespace logs commands.
Details
The vulnerability stems from the way GitHub CLI handles SSH connection details when executing commands. When developers connect to remote Codespaces, they typically use a SSH server running within a devcontainer, often provided through the default devcontainer image. GitHub CLI retrieves SSH connection details, such as remote username, which is used in executing ssh commands for gh codespace ssh or gh codespace logs commands.
This exploit occurs when a malicious third-party devcontainer contains a modified SSH server that injects ssh arguments within the SSH connection details. gh codespace ssh and gh codespace logs commands could execute arbitrary code on the user's workstation if the remote username contains something like -oProxyCommand="echo hacked" #. The -oProxyCommand flag causes ssh to execute the provided command while # shell comment causes any other ssh arguments to be ignored.
In 2.62.0, the remote username information is being validated before being used.
Impact
Successful exploitation could lead to arbitrary code execution on the user's workstation, potentially compromising the user's data and system.
Remediation and Mitigation
- Upgrade
ghto2.62.0 - Exercise caution when using custom devcontainer images, prefer default or pre-built devcontainers from trusted sources.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wMmgyLTN2ZzktNHA4N84ABBW1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 7 days ago
Updated: 1 day ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Identifiers: GHSA-p2h2-3vg9-4p87, CVE-2024-52308
References:
- https://github.com/cli/cli/security/advisories/GHSA-p2h2-3vg9-4p87
- https://nvd.nist.gov/vuln/detail/CVE-2024-52308
- https://pkg.go.dev/vuln/GO-2024-3269
- https://github.com/advisories/GHSA-p2h2-3vg9-4p87
Blast Radius: 12.6
Affected Packages
go:github.com/cli/cli
Dependent packages: 58Dependent repositories: 36
Downloads:
Affected Version Ranges: < 2.62.0
Fixed in: 2.62.0
All affected versions: 0.4.0, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.5.7, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.7.0, 0.8.0, 0.9.0, 0.10.0, 0.10.1, 0.11.0, 0.11.1, 0.12.0, 1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.4.0, 1.5.0, 1.6.0, 1.6.1, 1.6.2, 1.7.0, 1.8.0, 1.8.1, 1.9.0, 1.9.1, 1.9.2, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.11.0, 1.12.0, 1.12.1, 1.13.0, 1.13.1, 1.14.0
All unaffected versions:
go:github.com/cli/cli/v2
Dependent packages: 196Dependent repositories: 25
Downloads:
Affected Version Ranges: <= 2.61.0
Fixed in: 2.62.0
All affected versions: 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.10.0, 2.10.1, 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.12.0, 2.12.1, 2.13.0, 2.14.0, 2.14.1, 2.14.2, 2.14.3, 2.14.4, 2.14.5, 2.14.6, 2.14.7, 2.15.0, 2.16.0, 2.16.1, 2.17.0, 2.18.0, 2.18.1, 2.19.0, 2.20.0, 2.20.1, 2.20.2, 2.21.0, 2.21.1, 2.21.2, 2.22.0, 2.22.1, 2.23.0, 2.24.0, 2.24.1, 2.24.2, 2.24.3, 2.25.0, 2.25.1, 2.26.0, 2.26.1, 2.27.0, 2.28.0, 2.29.0, 2.30.0, 2.31.0, 2.32.0, 2.32.1, 2.33.0, 2.34.0, 2.35.0, 2.36.0, 2.37.0, 2.38.0, 2.39.0, 2.39.1, 2.39.2, 2.40.0, 2.40.1, 2.41.0, 2.42.0, 2.42.1, 2.43.0, 2.43.1, 2.44.0, 2.44.1, 2.45.0, 2.46.0, 2.47.0, 2.48.0, 2.49.0, 2.49.1, 2.49.2, 2.50.0, 2.51.0, 2.52.0, 2.53.0, 2.54.0, 2.55.0, 2.56.0, 2.57.0, 2.58.0, 2.59.0, 2.60.0, 2.60.1, 2.61.0
All unaffected versions: 2.62.0