go-gh is a Go module for interacting with the `gh` utility and the GitHub API from the command line. A security vulnerability has been identified in `go-gh` that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace. `go-gh` sources authentication tokens from different environment variables depending on the host involved: 1. `GITHUB_TOKEN`, `GH_TOKEN` for GitHub.com and ghe.com and 2. `GITHUB_ENTERPRISE_TOKEN`, `GH_ENTERPRISE_TOKEN` for GitHub Enterprise Server. Prior to version `2.11.1`, `auth.TokenForHost` could source a token from the `GITHUB_TOKEN` environment variable for a host other than GitHub.com or ghe.com when within a codespace. In version `2.11.1`, `auth.TokenForHost` will only source a token from the `GITHUB_TOKEN` environment variable for GitHub.com or ghe.com hosts. Successful exploitation could send authentication token to an unintended host. This issue has been addressed in version 2.11.1 and all users are advised to upgrade. Users are also advised to regenerate authentication tokens and to review their personal security log and any relevant audit logs for actions associated with their account or enterprise.
Metrics
Affected Vendors & Products
References
History
Tue, 03 Dec 2024 17:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Github
Github go-gh |
|
CPEs | cpe:2.3:a:github:go-gh:*:*:*:*:*:*:*:* | |
Vendors & Products |
Github
Github go-gh |
|
Metrics |
ssvc
|
Wed, 27 Nov 2024 21:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | go-gh is a Go module for interacting with the `gh` utility and the GitHub API from the command line. A security vulnerability has been identified in `go-gh` that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace. `go-gh` sources authentication tokens from different environment variables depending on the host involved: 1. `GITHUB_TOKEN`, `GH_TOKEN` for GitHub.com and ghe.com and 2. `GITHUB_ENTERPRISE_TOKEN`, `GH_ENTERPRISE_TOKEN` for GitHub Enterprise Server. Prior to version `2.11.1`, `auth.TokenForHost` could source a token from the `GITHUB_TOKEN` environment variable for a host other than GitHub.com or ghe.com when within a codespace. In version `2.11.1`, `auth.TokenForHost` will only source a token from the `GITHUB_TOKEN` environment variable for GitHub.com or ghe.com hosts. Successful exploitation could send authentication token to an unintended host. This issue has been addressed in version 2.11.1 and all users are advised to upgrade. Users are also advised to regenerate authentication tokens and to review their personal security log and any relevant audit logs for actions associated with their account or enterprise. | |
Title | go-gh `auth.TokenForHost` violates GitHub host security boundary within a codespace | |
Weaknesses | CWE-200 | |
References |
|
|
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-11-27T21:25:12.391Z
Updated: 2024-12-03T16:15:49.930Z
Reserved: 2024-11-22T17:30:02.143Z
Link: CVE-2024-53859
Vulnrichment
Updated: 2024-12-03T16:15:44.229Z
NVD
Status : Received
Published: 2024-11-27T22:15:05.673
Modified: 2024-11-27T22:15:05.673
Link: CVE-2024-53859
Redhat
No data.