ghsa-55v3-xh23-96gh
Vulnerability from github
Published
2024-11-27 21:43
Modified
2024-12-12 19:17
Severity ?
6.5 (Medium) - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
Summary
`auth.TokenForHost` violates GitHub host security boundary when sourcing authentication token within a codespace
Details

Summary

A security vulnerability has been identified in go-gh that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace.

Details

go-gh sources authentication tokens from different environment variables depending on the host involved:

  • GITHUB_TOKEN, GH_TOKEN for GitHub.com and ghe.com
  • GITHUB_ENTERPRISE_TOKEN, GH_ENTERPRISE_TOKEN for GitHub Enterprise Server

Prior to 2.11.1, auth.TokenForHost could source a token from the GITHUB_TOKEN environment variable for a host other than GitHub.com or ghe.com when within a codespace.

In 2.11.1, auth.TokenForHost will only source a token from the GITHUB_TOKEN environment variable for GitHub.com or ghe.com hosts.

Impact

Successful exploitation could send authentication token to an unintended host.

Remediation and mitigation

  1. Upgrade go-gh to 2.11.1
  2. Advise extension users to regenerate authentication tokens:
  3. Advise extension users to review their personal security log and any relevant audit logs for actions associated with their account or enterprise
Show details on source website

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.11.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cli/go-gh/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.11.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2.11.1"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cli/go-gh"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-53859"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-27T21:43:03Z",
    "nvd_published_at": "2024-11-27T22:15:05Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nA security vulnerability has been identified in `go-gh` that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace.\n\n### Details\n\n`go-gh` sources authentication tokens from different environment variables depending on the host involved:\n\n- `GITHUB_TOKEN`, `GH_TOKEN` for GitHub.com and ghe.com\n- `GITHUB_ENTERPRISE_TOKEN`, `GH_ENTERPRISE_TOKEN` for GitHub Enterprise Server\n\nPrior to `2.11.1`, `auth.TokenForHost` could source a token from the `GITHUB_TOKEN` environment variable for a host other than GitHub.com or ghe.com when [within a codespace](https://github.com/cli/go-gh/blob/71770357e0cb12867d3e3e288854c0aa09d440b7/pkg/auth/auth.go#L73-L77).\n\nIn `2.11.1`, `auth.TokenForHost` will only source a token from the `GITHUB_TOKEN` environment variable for GitHub.com or ghe.com hosts.\n\n### Impact\n\nSuccessful exploitation could send authentication token to an unintended host. \n\n### Remediation and mitigation\n\n1. Upgrade `go-gh` to `2.11.1`\n2. Advise extension users to regenerate authentication tokens:\n    - [Personal access tokens](https://docs.github.com/en/enterprise-cloud@latest/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens)\n    - [GitHub CLI OAuth app](https://docs.github.com/en/apps/using-github-apps/reviewing-and-revoking-authorization-of-github-apps#reviewing-your-authorized-github-apps)\n3. Advise extension users to review their personal [security log](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/reviewing-your-security-log) and any relevant [audit logs](https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token) for actions associated with their account or enterprise\n",
  "id": "GHSA-55v3-xh23-96gh",
  "modified": "2024-12-12T19:17:34Z",
  "published": "2024-11-27T21:43:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cli/go-gh/security/advisories/GHSA-55v3-xh23-96gh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53859"
    },
    {
      "type": "WEB",
      "url": "https://docs.github.com/en/apps/using-github-apps/reviewing-and-revoking-authorization-of-github-apps#reviewing-your-authorized-github-apps"
    },
    {
      "type": "WEB",
      "url": "https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/reviewing-your-security-log"
    },
    {
      "type": "WEB",
      "url": "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token"
    },
    {
      "type": "WEB",
      "url": "https://docs.github.com/en/enterprise-cloud@latest/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cli/go-gh"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cli/go-gh/blob/71770357e0cb12867d3e3e288854c0aa09d440b7/pkg/auth/auth.go#L73-L77"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2024-3295"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "`auth.TokenForHost` violates GitHub host security boundary when sourcing authentication token within a codespace"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.