go-gh `auth.TokenForHost` violates GitHub host security boundary within a codespace
Description
go-gh is a Go module for interacting with the gh utility and the GitHub API from the command line. A security vulnerability has been identified in go-gh that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace. go-gh sources authentication tokens from different environment variables depending on the host involved: 1. GITHUB_TOKEN, GH_TOKEN for GitHub.com and ghe.com and 2. GITHUB_ENTERPRISE_TOKEN, GH_ENTERPRISE_TOKEN for GitHub Enterprise Server. Prior to version 2.11.1, auth.TokenForHost could source a token from the GITHUB_TOKEN environment variable for a host other than GitHub.com or ghe.com when within a codespace. In version 2.11.1, auth.TokenForHost will only source a token from the GITHUB_TOKEN environment variable for GitHub.com or ghe.com hosts. Successful exploitation could send authentication token to an unintended host. This issue has been addressed in version 2.11.1 and all users are advised to upgrade. Users are also advised to regenerate authentication tokens and to review their personal security log and any relevant audit logs for actions associated with their account or enterprise.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/cli/go-gh/v2Go | < 2.11.1 | 2.11.1 |
github.com/cli/go-ghGo | >= 0 | — |
Affected products
10- osv-coords9 versionspkg:apk/chainguard/ghpkg:apk/chainguard/gh-docpkg:apk/chainguard/wolfictlpkg:apk/wolfi/ghpkg:apk/wolfi/gh-docpkg:apk/wolfi/wolfictlpkg:golang/github.com/cli/go-ghpkg:golang/github.com/cli/go-gh/v2pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
< 2.63.0-r0+ 8 more
- (no CPE)range: < 2.63.0-r0
- (no CPE)range: < 2.63.0-r0
- (no CPE)range: < 0.26.0-r1
- (no CPE)range: < 2.63.0-r0
- (no CPE)range: < 2.63.0-r0
- (no CPE)range: < 0.26.0-r1
- (no CPE)range: >= 0
- (no CPE)range: < 2.11.1
- (no CPE)range: < 0.0.20241213T205935-1.1
- cli/go-ghv5Range: < 2.11.1
Patches
Vulnerability mechanics
References
9- github.com/advisories/GHSA-55v3-xh23-96ghghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-53859ghsaADVISORY
- docs.github.com/en/apps/using-github-apps/reviewing-and-revoking-authorization-of-github-appsghsax_refsource_MISCWEB
- docs.github.com/en/authentication/keeping-your-account-and-data-secure/reviewing-your-security-logghsax_refsource_MISCWEB
- docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-tokenghsax_refsource_MISCWEB
- docs.github.com/en/enterprise-cloud@latest/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokensghsax_refsource_MISCWEB
- github.com/cli/go-gh/blob/71770357e0cb12867d3e3e288854c0aa09d440b7/pkg/auth/auth.goghsax_refsource_MISCWEB
- github.com/cli/go-gh/security/advisories/GHSA-55v3-xh23-96ghghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2024-3295ghsaWEB
News mentions
0No linked articles in our index yet.