CVE-2024-54132
Description
The GitHub CLI is GitHub’s official command line tool. A security vulnerability has been identified in GitHub CLI that could create or overwrite files in unintended directories when users download a malicious GitHub Actions workflow artifact through gh run download. This vulnerability stems from a GitHub Actions workflow artifact named .. when downloaded using gh run download. The artifact name and --dir flag are used to determine the artifact’s download path. When the artifact is named .., the resulting files within the artifact are extracted exactly 1 directory higher than the specified --dir flag value. This vulnerability is fixed in 2.63.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/cli/cli/v2Go | < 2.63.1 | 2.63.1 |
github.com/cli/cliGo | <= 1.14.0 | — |
Affected products
8- osv-coords7 versionspkg:apk/chainguard/ghpkg:apk/chainguard/gh-docpkg:apk/wolfi/ghpkg:apk/wolfi/gh-docpkg:golang/github.com/cli/clipkg:golang/github.com/cli/cli/v2pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
< 2.63.1-r0+ 6 more
- (no CPE)range: < 2.63.1-r0
- (no CPE)range: < 2.63.1-r0
- (no CPE)range: < 2.63.1-r0
- (no CPE)range: < 2.63.1-r0
- (no CPE)range: <= 1.14.0
- (no CPE)range: < 2.63.1
- (no CPE)range: < 0.0.20241209T183251-1.1
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.