Headline
GHSA-55v3-xh23-96gh: `auth.TokenForHost` violates GitHub host security boundary when sourcing authentication token within a codespace
Summary
A security vulnerability has been identified in go-gh
that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace.
Details
go-gh
sources authentication tokens from different environment variables depending on the host involved:
GITHUB_TOKEN
,GH_TOKEN
for GitHub.com and ghe.comGITHUB_ENTERPRISE_TOKEN
,GH_ENTERPRISE_TOKEN
for GitHub Enterprise Server
Prior to 2.11.1
, auth.TokenForHost
could source a token from the GITHUB_TOKEN
environment variable for a host other than GitHub.com or ghe.com when within a codespace.
In 2.11.1
, auth.TokenForHost
will only source a token from the GITHUB_TOKEN
environment variable for GitHub.com or ghe.com hosts.
Impact
Successful exploitation could send authentication token to an unintended host.
Remediation and mitigation
- Upgrade
go-gh
to2.11.1
- Advise extension users to regenerate authentication tokens:
- Advise extension users to review their personal security log and any relevant audit logs for actions associated with their account or enterprise
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-53859
`auth.TokenForHost` violates GitHub host security boundary when sourcing authentication token within a codespace
Moderate severity GitHub Reviewed Published Nov 27, 2024 in cli/go-gh • Updated Nov 27, 2024
Package
gomod github.com/cli/go-gh/v2 (Go)
Affected versions
<= 2.11.0
Summary
A security vulnerability has been identified in go-gh that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace.
Details
go-gh sources authentication tokens from different environment variables depending on the host involved:
- GITHUB_TOKEN, GH_TOKEN for GitHub.com and ghe.com
- GITHUB_ENTERPRISE_TOKEN, GH_ENTERPRISE_TOKEN for GitHub Enterprise Server
Prior to 2.11.1, auth.TokenForHost could source a token from the GITHUB_TOKEN environment variable for a host other than GitHub.com or ghe.com when within a codespace.
In 2.11.1, auth.TokenForHost will only source a token from the GITHUB_TOKEN environment variable for GitHub.com or ghe.com hosts.
Impact
Successful exploitation could send authentication token to an unintended host.
Remediation and mitigation
- Upgrade go-gh to 2.11.1
- Advise extension users to regenerate authentication tokens:
- Personal access tokens
- GitHub CLI OAuth app
- Advise extension users to review their personal security log and any relevant audit logs for actions associated with their account or enterprise
References
- GHSA-55v3-xh23-96gh
Published to the GitHub Advisory Database
Nov 27, 2024
Last updated
Nov 27, 2024