{"vulnerability": "CVE-2024-52308", "sightings": [{"uuid": "5c1271a8-9467-4403-b4e6-533ef09f1e9c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-52308", "type": "seen", "source": "https://infosec.exchange/users/cve/statuses/113483800434488994", "content": "", "creation_timestamp": "2024-11-14T23:02:53.499725Z"}, {"uuid": "db209423-6cfb-42d8-a0ac-3f1d571f741b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-52308", "type": "seen", "source": "https://t.me/cvedetector/11033", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-52308 - GitHub CLI Remote Code Execution via Malicious Devcontainer SSH Server\", \n  \"Content\": \"CVE ID : CVE-2024-52308 \nPublished : Nov. 14, 2024, 11:15 p.m. | 38\u00a0minutes ago \nDescription : The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using `gh codespace ssh` or `gh codespace logs` commands. This has been patched in the cli v2.62.0.  \n  \nDevelopers connect to remote codespaces through an SSH server running within the devcontainer, which is generally provided through the [default devcontainer image](). GitHub CLI [retrieves SSH connection details](), such as remote username, which is used in [executing `ssh` commands]() for `gh codespace ssh` or `gh codespace logs` commands.  \n  \nThis exploit occurs when a malicious third-party devcontainer contains a modified SSH server that injects `ssh` arguments within the SSH connection details. `gh codespace ssh` and `gh codespace logs` commands could execute arbitrary code on the user's workstation if the remote username contains something like `-oProxyCommand=\"echo hacked\" #`.  The `-oProxyCommand` flag causes `ssh` to execute the provided command while `#` shell comment causes any other `ssh` arguments to be ignored.  \n  \nIn `2.62.0`, the remote username information is being validated before being used. \nSeverity: 8.0 | HIGH \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"15 Nov 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-11-15T01:02:02.000000Z"}, {"uuid": "b1a52bef-42d3-4fbb-8274-2ff816efb669", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-52308", "type": "seen", "source": "MISP/1c5c38d6-3401-41ac-be0e-4cf361fa6f51", "content": "", "creation_timestamp": "2025-09-25T00:36:28.000000Z"}]}