Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-55v3-xh23-96gh: `auth.TokenForHost` violates GitHub host security boundary when sourcing authentication token within a codespace

Summary

A security vulnerability has been identified in go-gh that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace.

Details

go-gh sources authentication tokens from different environment variables depending on the host involved:

  • GITHUB_TOKEN, GH_TOKEN for GitHub.com and ghe.com
  • GITHUB_ENTERPRISE_TOKEN, GH_ENTERPRISE_TOKEN for GitHub Enterprise Server

Prior to 2.11.1, auth.TokenForHost could source a token from the GITHUB_TOKEN environment variable for a host other than GitHub.com or ghe.com when within a codespace.

In 2.11.1, auth.TokenForHost will only source a token from the GITHUB_TOKEN environment variable for GitHub.com or ghe.com hosts.

Impact

Successful exploitation could send authentication token to an unintended host.

Remediation and mitigation

  1. Upgrade go-gh to 2.11.1
  2. Advise extension users to regenerate authentication tokens:
  3. Advise extension users to review their personal security log and any relevant audit logs for actions associated with their account or enterprise
ghsa
#vulnerability#git#oauth#auth
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2024-53859

`auth.TokenForHost` violates GitHub host security boundary when sourcing authentication token within a codespace

Moderate severity GitHub Reviewed Published Nov 27, 2024 in cli/go-gh • Updated Nov 27, 2024

Package

gomod github.com/cli/go-gh/v2 (Go)

Affected versions

<= 2.11.0

Summary

A security vulnerability has been identified in go-gh that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace.

Details

go-gh sources authentication tokens from different environment variables depending on the host involved:

  • GITHUB_TOKEN, GH_TOKEN for GitHub.com and ghe.com
  • GITHUB_ENTERPRISE_TOKEN, GH_ENTERPRISE_TOKEN for GitHub Enterprise Server

Prior to 2.11.1, auth.TokenForHost could source a token from the GITHUB_TOKEN environment variable for a host other than GitHub.com or ghe.com when within a codespace.

In 2.11.1, auth.TokenForHost will only source a token from the GITHUB_TOKEN environment variable for GitHub.com or ghe.com hosts.

Impact

Successful exploitation could send authentication token to an unintended host.

Remediation and mitigation

  1. Upgrade go-gh to 2.11.1
  2. Advise extension users to regenerate authentication tokens:
    • Personal access tokens
    • GitHub CLI OAuth app
  3. Advise extension users to review their personal security log and any relevant audit logs for actions associated with their account or enterprise

References

  • GHSA-55v3-xh23-96gh

Published to the GitHub Advisory Database

Nov 27, 2024

Last updated

Nov 27, 2024

ghsa: Latest News

GHSA-mj5r-x73q-fjw6: SPEmailHandler-PHP has Potential Abuse for Sending Arbitrary Emails