Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2024-52308 (GCVE-0-2024-52308)
Vulnerability from cvelistv5 – Published: 2024-11-14 22:55 – Updated: 2024-11-15 19:33
VLAI?
EPSS
Title
Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer
Summary
The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using `gh codespace ssh` or `gh codespace logs` commands. This has been patched in the cli v2.62.0.
Developers connect to remote codespaces through an SSH server running within the devcontainer, which is generally provided through the [default devcontainer image]( https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-... https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/introduction-to-dev-containers#using-the-default-dev-container-configuration) . GitHub CLI [retrieves SSH connection details]( https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/inv... https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/invoker.go#L230-L244 ), such as remote username, which is used in [executing `ssh` commands]( https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L2... https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L263 ) for `gh codespace ssh` or `gh codespace logs` commands.
This exploit occurs when a malicious third-party devcontainer contains a modified SSH server that injects `ssh` arguments within the SSH connection details. `gh codespace ssh` and `gh codespace logs` commands could execute arbitrary code on the user's workstation if the remote username contains something like `-oProxyCommand="echo hacked" #`. The `-oProxyCommand` flag causes `ssh` to execute the provided command while `#` shell comment causes any other `ssh` arguments to be ignored.
In `2.62.0`, the remote username information is being validated before being used.
Severity ?
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Credits
RyotaK from Flatt Security Inc.
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:github:cli:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cli",
"vendor": "github",
"versions": [
{
"lessThanOrEqual": "2.6.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52308",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-15T19:31:52.795141Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T19:33:42.842Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "cli",
"vendor": "cli",
"versions": [
{
"status": "affected",
"version": "\u003c= 2.61.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "RyotaK from Flatt Security Inc."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using `gh codespace ssh` or `gh codespace logs` commands. This has been patched in the cli v2.62.0.\u003c/p\u003e\u003cp\u003eDevelopers connect to remote codespaces through an SSH server running within the devcontainer, which is generally provided through the [default devcontainer image](\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/introduction-to-dev-containers#using-the-default-dev-container-configuration)\"\u003ehttps://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-...\u003c/a\u003e. GitHub CLI [retrieves SSH connection details](\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/invoker.go#L230-L244\"\u003ehttps://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/inv...\u003c/a\u003e), such as remote username, which is used in [executing `ssh` commands](\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L263\"\u003ehttps://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L2...\u003c/a\u003e) for `gh codespace ssh` or `gh codespace logs` commands.\u003c/p\u003e\u003cp\u003eThis exploit occurs when a malicious third-party devcontainer contains a modified SSH server that injects `ssh` arguments within the SSH connection details. `gh codespace ssh` and `gh codespace logs` commands could execute arbitrary code on the user\u0027s workstation if the remote username contains something like `-oProxyCommand=\"echo hacked\" #`. The `-oProxyCommand` flag causes `ssh` to execute the provided command while `#` shell comment causes any other `ssh` arguments to be ignored.\u003c/p\u003e\u003cp\u003eIn `2.62.0`, the remote username information is being validated before being used.\u003c/p\u003e"
}
],
"value": "The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using `gh codespace ssh` or `gh codespace logs` commands. This has been patched in the cli v2.62.0.\n\nDevelopers connect to remote codespaces through an SSH server running within the devcontainer, which is generally provided through the [default devcontainer image]( https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-... https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/introduction-to-dev-containers#using-the-default-dev-container-configuration) . GitHub CLI [retrieves SSH connection details]( https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/inv... https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/invoker.go#L230-L244 ), such as remote username, which is used in [executing `ssh` commands]( https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L2... https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L263 ) for `gh codespace ssh` or `gh codespace logs` commands.\n\nThis exploit occurs when a malicious third-party devcontainer contains a modified SSH server that injects `ssh` arguments within the SSH connection details. `gh codespace ssh` and `gh codespace logs` commands could execute arbitrary code on the user\u0027s workstation if the remote username contains something like `-oProxyCommand=\"echo hacked\" #`. The `-oProxyCommand` flag causes `ssh` to execute the provided command while `#` shell comment causes any other `ssh` arguments to be ignored.\n\nIn `2.62.0`, the remote username information is being validated before being used."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T00:22:11.024Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cli/cli/security/advisories/GHSA-p2h2-3vg9-4p87",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cli/cli/security/advisories/GHSA-p2h2-3vg9-4p87"
}
],
"source": {
"advisory": "GHSA-p2h2-3vg9-4p87",
"discovery": "UNKNOWN"
},
"title": "Connecting to a malicious Codespaces via GH CLI could allow command execution on the user\u0027s computer",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52308",
"datePublished": "2024-11-14T22:55:38.693Z",
"dateReserved": "2024-11-06T19:00:26.397Z",
"dateUpdated": "2024-11-15T19:33:42.842Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-52308\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-11-14T23:15:05.727\",\"lastModified\":\"2024-11-20T15:07:43.127\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using `gh codespace ssh` or `gh codespace logs` commands. This has been patched in the cli v2.62.0.\\n\\nDevelopers connect to remote codespaces through an SSH server running within the devcontainer, which is generally provided through the [default devcontainer image]( https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-... https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/introduction-to-dev-containers#using-the-default-dev-container-configuration) . GitHub CLI [retrieves SSH connection details]( https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/inv... https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/invoker.go#L230-L244 ), such as remote username, which is used in [executing `ssh` commands]( https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L2... https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L263 ) for `gh codespace ssh` or `gh codespace logs` commands.\\n\\nThis exploit occurs when a malicious third-party devcontainer contains a modified SSH server that injects `ssh` arguments within the SSH connection details. `gh codespace ssh` and `gh codespace logs` commands could execute arbitrary code on the user\u0027s workstation if the remote username contains something like `-oProxyCommand=\\\"echo hacked\\\" #`. The `-oProxyCommand` flag causes `ssh` to execute the provided command while `#` shell comment causes any other `ssh` arguments to be ignored.\\n\\nIn `2.62.0`, the remote username information is being validated before being used.\"},{\"lang\":\"es\",\"value\":\"La versi\u00f3n 2.6.1 y anteriores de la CLI de GitHub son vulnerables a la ejecuci\u00f3n remota de c\u00f3digo a trav\u00e9s de un servidor SSH de codespace malicioso cuando se usan los comandos `gh codespace ssh` o `gh codespace logs`. Esto se ha corregido en la CLI v2.62.0. Los desarrolladores se conectan a codespaces remotos a trav\u00e9s de un servidor SSH que se ejecuta dentro del devcontainer, que generalmente se proporciona a trav\u00e9s de la [imagen predeterminada de devcontainer]( https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-... https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/introduction-to-dev-containers#using-the-default-dev-container-configuration) . GitHub CLI [recupera detalles de conexi\u00f3n SSH]( https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/inv... https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/invoker.go#L230-L244 ), como el nombre de usuario remoto, que se utiliza al [ejecutar comandos `ssh`]( https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L2... https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L263 ) para los comandos `gh codespace ssh` o `gh codespace logs`. Esta vulnerabilidad se produce cuando un contenedor de desarrollo malintencionado de terceros contiene un servidor SSH modificado que inyecta argumentos `ssh` dentro de los detalles de la conexi\u00f3n SSH. Los comandos `gh codespace ssh` y `gh codespace logs` podr\u00edan ejecutar c\u00f3digo arbitrario en la estaci\u00f3n de trabajo del usuario si el nombre de usuario remoto contiene algo como `-oProxyCommand=\\\"echo hacked\\\" #`. El indicador `-oProxyCommand` hace que `ssh` ejecute el comando proporcionado mientras que el comentario de shell `#` hace que se ignoren todos los dem\u00e1s argumentos de `ssh`. En `2.62.0`, la informaci\u00f3n del nombre de usuario remoto se valida antes de usarse.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H\",\"baseScore\":8.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.3,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\",\"baseScore\":9.6,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-77\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:github:cli:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.62.0\",\"matchCriteriaId\":\"745C1C41-D49C-4B7F-94F5-24A44BCCCFF5\"}]}]}],\"references\":[{\"url\":\"https://github.com/cli/cli/security/advisories/GHSA-p2h2-3vg9-4p87\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-52308\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-15T19:31:52.795141Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:github:cli:*:*:*:*:*:*:*:*\"], \"vendor\": \"github\", \"product\": \"cli\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"2.6.1\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-15T19:33:36.549Z\"}}], \"cna\": {\"title\": \"Connecting to a malicious Codespaces via GH CLI could allow command execution on the user\u0027s computer\", \"source\": {\"advisory\": \"GHSA-p2h2-3vg9-4p87\", \"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"RyotaK from Flatt Security Inc.\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"cli\", \"product\": \"cli\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 2.61.0\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://github.com/cli/cli/security/advisories/GHSA-p2h2-3vg9-4p87\", \"name\": \"https://github.com/cli/cli/security/advisories/GHSA-p2h2-3vg9-4p87\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using `gh codespace ssh` or `gh codespace logs` commands. This has been patched in the cli v2.62.0.\\n\\nDevelopers connect to remote codespaces through an SSH server running within the devcontainer, which is generally provided through the [default devcontainer image]( https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-... https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/introduction-to-dev-containers#using-the-default-dev-container-configuration) . GitHub CLI [retrieves SSH connection details]( https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/inv... https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/invoker.go#L230-L244 ), such as remote username, which is used in [executing `ssh` commands]( https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L2... https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L263 ) for `gh codespace ssh` or `gh codespace logs` commands.\\n\\nThis exploit occurs when a malicious third-party devcontainer contains a modified SSH server that injects `ssh` arguments within the SSH connection details. `gh codespace ssh` and `gh codespace logs` commands could execute arbitrary code on the user\u0027s workstation if the remote username contains something like `-oProxyCommand=\\\"echo hacked\\\" #`. The `-oProxyCommand` flag causes `ssh` to execute the provided command while `#` shell comment causes any other `ssh` arguments to be ignored.\\n\\nIn `2.62.0`, the remote username information is being validated before being used.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eThe GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using `gh codespace ssh` or `gh codespace logs` commands. This has been patched in the cli v2.62.0.\u003c/p\u003e\u003cp\u003eDevelopers connect to remote codespaces through an SSH server running within the devcontainer, which is generally provided through the [default devcontainer image](\u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/introduction-to-dev-containers#using-the-default-dev-container-configuration)\\\"\u003ehttps://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-...\u003c/a\u003e. GitHub CLI [retrieves SSH connection details](\u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/invoker.go#L230-L244\\\"\u003ehttps://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/inv...\u003c/a\u003e), such as remote username, which is used in [executing `ssh` commands](\u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L263\\\"\u003ehttps://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L2...\u003c/a\u003e) for `gh codespace ssh` or `gh codespace logs` commands.\u003c/p\u003e\u003cp\u003eThis exploit occurs when a malicious third-party devcontainer contains a modified SSH server that injects `ssh` arguments within the SSH connection details. `gh codespace ssh` and `gh codespace logs` commands could execute arbitrary code on the user\u0027s workstation if the remote username contains something like `-oProxyCommand=\\\"echo hacked\\\" #`. The `-oProxyCommand` flag causes `ssh` to execute the provided command while `#` shell comment causes any other `ssh` arguments to be ignored.\u003c/p\u003e\u003cp\u003eIn `2.62.0`, the remote username information is being validated before being used.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-77\", \"description\": \"CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-11-15T00:22:11.024Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-52308\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-15T19:33:42.842Z\", \"dateReserved\": \"2024-11-06T19:00:26.397Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-11-14T22:55:38.693Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
BDU:2024-10385
Vulnerability from fstec - Published: 14.11.2024
VLAI Severity ?
Title
Уязвимость интерфейса командной строки CLI платформы для совместной разработки GitHub, связанная с непринятием мер по нейтрализации специальных элементов, позволяющая нарушителю выполнить произвольный код
Description
Уязвимость интерфейса командной строки CLI платформы для совместной разработки GitHub связана с непринятием мер по нейтрализации специальных элементов. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, выполнить произвольный код
Severity ?
Vendor
GitHub Inc
Software Name
cli
Software Version
до 2.62.0 (cli)
Possible Mitigations
Использование рекомендаций производителя:
https://github.com/cli/cli/releases/tag/v2.62.0
Reference
https://github.com/cli/cli/releases/tag/v2.62.0
https://securityonline.info/cve-2024-52308-github-cli-vulnerability-could-allow-remote-code-execution/
https://www.cve.org/CVERecord?id=CVE-2024-52308
CWE
CWE-77
{
"CVSS 2.0": "AV:N/AC:H/Au:S/C:C/I:C/A:C",
"CVSS 3.0": "AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "GitHub Inc",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "\u0434\u043e 2.62.0 (cli)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f:\nhttps://github.com/cli/cli/releases/tag/v2.62.0",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "14.11.2024",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "17.12.2024",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "26.11.2024",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2024-10385",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2024-52308",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "cli",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441\u0430 \u043a\u043e\u043c\u0430\u043d\u0434\u043d\u043e\u0439 \u0441\u0442\u0440\u043e\u043a\u0438 CLI \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b \u0434\u043b\u044f \u0441\u043e\u0432\u043c\u0435\u0441\u0442\u043d\u043e\u0439 \u0440\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u043a\u0438 GitHub, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043d\u0435\u043f\u0440\u0438\u043d\u044f\u0442\u0438\u0435\u043c \u043c\u0435\u0440 \u043f\u043e \u043d\u0435\u0439\u0442\u0440\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u0445 \u044d\u043b\u0435\u043c\u0435\u043d\u0442\u043e\u0432, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043f\u0440\u0438\u043d\u044f\u0442\u0438\u0435 \u043c\u0435\u0440 \u043f\u043e \u0447\u0438\u0441\u0442\u043a\u0435 \u0434\u0430\u043d\u043d\u044b\u0445 \u043d\u0430 \u0443\u043f\u0440\u0430\u0432\u043b\u044f\u044e\u0449\u0435\u043c \u0443\u0440\u043e\u0432\u043d\u0435 (\u0412\u043d\u0435\u0434\u0440\u0435\u043d\u0438\u0435 \u0432 \u043a\u043e\u043c\u0430\u043d\u0434\u0443) (CWE-77)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441\u0430 \u043a\u043e\u043c\u0430\u043d\u0434\u043d\u043e\u0439 \u0441\u0442\u0440\u043e\u043a\u0438 CLI \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b \u0434\u043b\u044f \u0441\u043e\u0432\u043c\u0435\u0441\u0442\u043d\u043e\u0439 \u0440\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u043a\u0438 GitHub \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u043f\u0440\u0438\u043d\u044f\u0442\u0438\u0435\u043c \u043c\u0435\u0440 \u043f\u043e \u043d\u0435\u0439\u0442\u0440\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u0445 \u044d\u043b\u0435\u043c\u0435\u043d\u0442\u043e\u0432. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u0418\u043d\u044a\u0435\u043a\u0446\u0438\u044f",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://github.com/cli/cli/releases/tag/v2.62.0\nhttps://securityonline.info/cve-2024-52308-github-cli-vulnerability-could-allow-remote-code-execution/\nhttps://www.cve.org/CVERecord?id=CVE-2024-52308",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-77",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,1)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 8)"
}
NCSC-2024-0454
Vulnerability from csaf_ncscnl - Published: 2024-11-19 15:03 - Updated: 2024-11-19 15:03Summary
Kwetsbaarheid verholpen in GitHub CLI
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten: GitHub heeft een kwetsbaarheid verholpen in GitHub CLI (Specifiek voor versies 2.6.1 en eerder).
Interpretaties: De kwetsbaarheid bevindt zich in de wijze waarop GitHub CLI SSH-verbindingdetails beheert. Dit kan kwaadwillenden in staat stellen om willekeurige code uit te voeren op het werkstation van de gebruiker wanneer er verbinding wordt gemaakt met een kwaadaardige Codespace SSH-server en specifieke commando's worden uitgevoerd.
Oplossingen: GitHub heeft updates uitgebracht om de kwetsbaarheid te verhelpen. Zie bijgevoegde referenties voor meer informatie.
Kans: medium
Schade: high
CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
8.0 (High)
References
| URL | Category | |
|---|---|---|
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "nl",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
},
{
"category": "description",
"text": "GitHub heeft een kwetsbaarheid verholpen in GitHub CLI (Specifiek voor versies 2.6.1 en eerder).",
"title": "Feiten"
},
{
"category": "description",
"text": "De kwetsbaarheid bevindt zich in de wijze waarop GitHub CLI SSH-verbindingdetails beheert. Dit kan kwaadwillenden in staat stellen om willekeurige code uit te voeren op het werkstation van de gebruiker wanneer er verbinding wordt gemaakt met een kwaadaardige Codespace SSH-server en specifieke commando\u0027s worden uitgevoerd.",
"title": "Interpretaties"
},
{
"category": "description",
"text": "GitHub heeft updates uitgebracht om de kwetsbaarheid te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
"title": "Oplossingen"
},
{
"category": "general",
"text": "medium",
"title": "Kans"
},
{
"category": "general",
"text": "high",
"title": "Schade"
},
{
"category": "general",
"text": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"title": "CWE-77"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "Nationaal Cyber Security Centrum",
"namespace": "https://www.ncsc.nl/"
},
"references": [
{
"category": "external",
"summary": "Source - cveprojectv5",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-52308"
},
{
"category": "external",
"summary": "Reference - github",
"url": "https://github.com/advisories/GHSA-p2h2-3vg9-4p87"
}
],
"title": "Kwetsbaarheid verholpen in GitHub CLI",
"tracking": {
"current_release_date": "2024-11-19T15:03:48.421618Z",
"id": "NCSC-2024-0454",
"initial_release_date": "2024-11-19T15:03:48.421618Z",
"revision_history": [
{
"date": "2024-11-19T15:03:48.421618Z",
"number": "0",
"summary": "Initiele versie"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "cli",
"product": {
"name": "cli",
"product_id": "CSAFPID-1720753",
"product_identification_helper": {
"cpe": "cpe:2.3:a:github:cli:*:*:*:*:*:*:*:*"
}
}
}
],
"category": "vendor",
"name": "github"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-52308",
"cwe": {
"id": "CWE-77",
"name": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"title": "CWE-77"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1720753"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-52308",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-52308.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.0,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1720753"
]
}
],
"title": "CVE-2024-52308"
}
]
}
OPENSUSE-SU-2024:14513-1
Vulnerability from csaf_opensuse - Published: 2024-11-20 00:00 - Updated: 2024-11-20 00:00Summary
govulncheck-vulndb-0.0.20241119T173509-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: govulncheck-vulndb-0.0.20241119T173509-1.1 on GA media
Description of the patch: These are all security issues fixed in the govulncheck-vulndb-0.0.20241119T173509-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-14513
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.6 (Medium)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
5.4 (Medium)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
4.4 (Medium)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
8.8 (High)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
9.6 (Critical)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "govulncheck-vulndb-0.0.20241119T173509-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the govulncheck-vulndb-0.0.20241119T173509-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-14513",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14513-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2024:14513-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/CJ6SUNDNOZSHM4PZYYGMBH7233D63JOI/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2024:14513-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/CJ6SUNDNOZSHM4PZYYGMBH7233D63JOI/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-8911 page",
"url": "https://www.suse.com/security/cve/CVE-2020-8911/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-0109 page",
"url": "https://www.suse.com/security/cve/CVE-2023-0109/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-0793 page",
"url": "https://www.suse.com/security/cve/CVE-2024-0793/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-24425 page",
"url": "https://www.suse.com/security/cve/CVE-2024-24425/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-24426 page",
"url": "https://www.suse.com/security/cve/CVE-2024-24426/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-44625 page",
"url": "https://www.suse.com/security/cve/CVE-2024-44625/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-52010 page",
"url": "https://www.suse.com/security/cve/CVE-2024-52010/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-52308 page",
"url": "https://www.suse.com/security/cve/CVE-2024-52308/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-52522 page",
"url": "https://www.suse.com/security/cve/CVE-2024-52522/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-9526 page",
"url": "https://www.suse.com/security/cve/CVE-2024-9526/"
}
],
"title": "govulncheck-vulndb-0.0.20241119T173509-1.1 on GA media",
"tracking": {
"current_release_date": "2024-11-20T00:00:00Z",
"generator": {
"date": "2024-11-20T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:14513-1",
"initial_release_date": "2024-11-20T00:00:00Z",
"revision_history": [
{
"date": "2024-11-20T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "govulncheck-vulndb-0.0.20241119T173509-1.1.aarch64",
"product": {
"name": "govulncheck-vulndb-0.0.20241119T173509-1.1.aarch64",
"product_id": "govulncheck-vulndb-0.0.20241119T173509-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "govulncheck-vulndb-0.0.20241119T173509-1.1.ppc64le",
"product": {
"name": "govulncheck-vulndb-0.0.20241119T173509-1.1.ppc64le",
"product_id": "govulncheck-vulndb-0.0.20241119T173509-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "govulncheck-vulndb-0.0.20241119T173509-1.1.s390x",
"product": {
"name": "govulncheck-vulndb-0.0.20241119T173509-1.1.s390x",
"product_id": "govulncheck-vulndb-0.0.20241119T173509-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "govulncheck-vulndb-0.0.20241119T173509-1.1.x86_64",
"product": {
"name": "govulncheck-vulndb-0.0.20241119T173509-1.1.x86_64",
"product_id": "govulncheck-vulndb-0.0.20241119T173509-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "govulncheck-vulndb-0.0.20241119T173509-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.aarch64"
},
"product_reference": "govulncheck-vulndb-0.0.20241119T173509-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "govulncheck-vulndb-0.0.20241119T173509-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.ppc64le"
},
"product_reference": "govulncheck-vulndb-0.0.20241119T173509-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "govulncheck-vulndb-0.0.20241119T173509-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.s390x"
},
"product_reference": "govulncheck-vulndb-0.0.20241119T173509-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "govulncheck-vulndb-0.0.20241119T173509-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.x86_64"
},
"product_reference": "govulncheck-vulndb-0.0.20241119T173509-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-8911",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-8911"
}
],
"notes": [
{
"category": "general",
"text": "A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target\u0027s S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file, they can reconstruct the plaintext with (on average) 128*length (plaintext) queries to the endpoint, by exploiting CBC\u0027s ability to manipulate the bytes of the next block and PKCS5 padding errors. It is recommended to update your SDK to V2 or later, and re-encrypt your files.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-8911",
"url": "https://www.suse.com/security/cve/CVE-2020-8911"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-11-20T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2020-8911"
},
{
"cve": "CVE-2023-0109",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-0109"
}
],
"notes": [
{
"category": "general",
"text": "A stored cross-site scripting (XSS) vulnerability was discovered in usememos/memos version 0.9.1. This vulnerability allows an attacker to upload a JavaScript file containing a malicious script and reference it in an HTML file. When the HTML file is accessed, the malicious script is executed. This can lead to the theft of sensitive information, such as login credentials, from users visiting the affected website. The issue has been fixed in version 0.10.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-0109",
"url": "https://www.suse.com/security/cve/CVE-2023-0109"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-11-20T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2023-0109"
},
{
"cve": "CVE-2024-0793",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-0793"
}
],
"notes": [
{
"category": "general",
"text": "A flaw was found in kube-controller-manager. This issue occurs when the initial application of a HPA config YAML lacking a .spec.behavior.scaleUp block causes a denial of service due to KCM pods going into restart churn.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-0793",
"url": "https://www.suse.com/security/cve/CVE-2024-0793"
},
{
"category": "external",
"summary": "SUSE Bug 1219964 for CVE-2024-0793",
"url": "https://bugzilla.suse.com/1219964"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-11-20T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-0793"
},
{
"cve": "CVE-2024-24425",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-24425"
}
],
"notes": [
{
"category": "general",
"text": "Magma v1.8.0 and OAI EPC Federation v1.20 were discovered to contain an out-of-bounds read in the amf_as_establish_req function at /tasks/amf/amf_as.cpp. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted NAS packet.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-24425",
"url": "https://www.suse.com/security/cve/CVE-2024-24425"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-11-20T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-24425"
},
{
"cve": "CVE-2024-24426",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-24426"
}
],
"notes": [
{
"category": "general",
"text": "Reachable assertions in the NGAP_FIND_PROTOCOLIE_BY_ID function of OpenAirInterface Magma v1.8.0 and OAI EPC Federation v1.2.0 allow attackers to cause a Denial of Service (DoS) via a crafted NGAP packet.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-24426",
"url": "https://www.suse.com/security/cve/CVE-2024-24426"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-11-20T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-24426"
},
{
"cve": "CVE-2024-44625",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-44625"
}
],
"notes": [
{
"category": "general",
"text": "Gogs \u003c=0.13.0 is vulnerable to Directory Traversal via the editFilePost function of internal/route/repo/editor.go.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-44625",
"url": "https://www.suse.com/security/cve/CVE-2024-44625"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-11-20T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-44625"
},
{
"cve": "CVE-2024-52010",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-52010"
}
],
"notes": [
{
"category": "general",
"text": "Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. A command injection vulnerability in the Web SSH feature allows an authenticated attacker to execute arbitrary commands as root on the host. Zoraxy has a Web SSH terminal feature that allows authenticated users to connect to SSH servers from their browsers. In HandleCreateProxySession the request to create an SSH session is handled. An attacker can exploit the username variable to escape from the bash command and inject arbitrary commands into sshCommand. This is possible, because, unlike hostname and port, the username is not validated or sanitized.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-52010",
"url": "https://www.suse.com/security/cve/CVE-2024-52010"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-11-20T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-52010"
},
{
"cve": "CVE-2024-52308",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-52308"
}
],
"notes": [
{
"category": "general",
"text": "The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using `gh codespace ssh` or `gh codespace logs` commands. This has been patched in the cli v2.62.0.\n\nDevelopers connect to remote codespaces through an SSH server running within the devcontainer, which is generally provided through the [default devcontainer image]( https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-... https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/introduction-to-dev-containers#using-the-default-dev-container-configuration) . GitHub CLI [retrieves SSH connection details]( https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/inv... https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/invoker.go#L230-L244 ), such as remote username, which is used in [executing `ssh` commands]( https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L2... https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L263 ) for `gh codespace ssh` or `gh codespace logs` commands.\n\nThis exploit occurs when a malicious third-party devcontainer contains a modified SSH server that injects `ssh` arguments within the SSH connection details. `gh codespace ssh` and `gh codespace logs` commands could execute arbitrary code on the user\u0027s workstation if the remote username contains something like `-oProxyCommand=\"echo hacked\" #`. The `-oProxyCommand` flag causes `ssh` to execute the provided command while `#` shell comment causes any other `ssh` arguments to be ignored.\n\nIn `2.62.0`, the remote username information is being validated before being used.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-52308",
"url": "https://www.suse.com/security/cve/CVE-2024-52308"
},
{
"category": "external",
"summary": "SUSE Bug 1233387 for CVE-2024-52308",
"url": "https://bugzilla.suse.com/1233387"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-11-20T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2024-52308"
},
{
"cve": "CVE-2024-52522",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-52522"
}
],
"notes": [
{
"category": "general",
"text": "Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Insecure handling of symlinks with --links and --metadata in rclone while copying to local disk allows unprivileged users to indirectly modify ownership and permissions on symlink target files when a superuser or privileged process performs a copy. This vulnerability could enable privilege escalation and unauthorized access to critical system files, compromising system integrity, confidentiality, and availability. This vulnerability is fixed in 1.68.2.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-52522",
"url": "https://www.suse.com/security/cve/CVE-2024-52522"
},
{
"category": "external",
"summary": "SUSE Bug 1233422 for CVE-2024-52522",
"url": "https://bugzilla.suse.com/1233422"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-11-20T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-52522"
},
{
"cve": "CVE-2024-9526",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-9526"
}
],
"notes": [
{
"category": "general",
"text": "There exists a stored XSS Vulnerability in Kubeflow Pipeline View web UI. The Kubeflow Web UI allows to create new pipelines. When creating a new pipeline, it is possible to add a description. The description field allows html tags, which are not filtered properly. Leading to a stored XSS. We recommend upgrading past commit 930c35f1c543998e60e8d648ce93185c9b5dbe8d",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-9526",
"url": "https://www.suse.com/security/cve/CVE-2024-9526"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.aarch64",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.ppc64le",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.s390x",
"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241119T173509-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-11-20T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-9526"
}
]
}
OPENSUSE-SU-2024:14509-1
Vulnerability from csaf_opensuse - Published: 2024-11-18 00:00 - Updated: 2024-11-18 00:00Summary
gh-2.62.0-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: gh-2.62.0-1.1 on GA media
Description of the patch: These are all security issues fixed in the gh-2.62.0-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-14509
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
9.6 (Critical)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
| URL | Category | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "gh-2.62.0-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the gh-2.62.0-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-14509",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14509-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2024:14509-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YTCSKJMBC73WSFKWY7SLMRJFMRX4UHQF/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2024:14509-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YTCSKJMBC73WSFKWY7SLMRJFMRX4UHQF/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-52308 page",
"url": "https://www.suse.com/security/cve/CVE-2024-52308/"
}
],
"title": "gh-2.62.0-1.1 on GA media",
"tracking": {
"current_release_date": "2024-11-18T00:00:00Z",
"generator": {
"date": "2024-11-18T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:14509-1",
"initial_release_date": "2024-11-18T00:00:00Z",
"revision_history": [
{
"date": "2024-11-18T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "gh-2.62.0-1.1.aarch64",
"product": {
"name": "gh-2.62.0-1.1.aarch64",
"product_id": "gh-2.62.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "gh-bash-completion-2.62.0-1.1.aarch64",
"product": {
"name": "gh-bash-completion-2.62.0-1.1.aarch64",
"product_id": "gh-bash-completion-2.62.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "gh-fish-completion-2.62.0-1.1.aarch64",
"product": {
"name": "gh-fish-completion-2.62.0-1.1.aarch64",
"product_id": "gh-fish-completion-2.62.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "gh-zsh-completion-2.62.0-1.1.aarch64",
"product": {
"name": "gh-zsh-completion-2.62.0-1.1.aarch64",
"product_id": "gh-zsh-completion-2.62.0-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "gh-2.62.0-1.1.ppc64le",
"product": {
"name": "gh-2.62.0-1.1.ppc64le",
"product_id": "gh-2.62.0-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "gh-bash-completion-2.62.0-1.1.ppc64le",
"product": {
"name": "gh-bash-completion-2.62.0-1.1.ppc64le",
"product_id": "gh-bash-completion-2.62.0-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "gh-fish-completion-2.62.0-1.1.ppc64le",
"product": {
"name": "gh-fish-completion-2.62.0-1.1.ppc64le",
"product_id": "gh-fish-completion-2.62.0-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "gh-zsh-completion-2.62.0-1.1.ppc64le",
"product": {
"name": "gh-zsh-completion-2.62.0-1.1.ppc64le",
"product_id": "gh-zsh-completion-2.62.0-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "gh-2.62.0-1.1.s390x",
"product": {
"name": "gh-2.62.0-1.1.s390x",
"product_id": "gh-2.62.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "gh-bash-completion-2.62.0-1.1.s390x",
"product": {
"name": "gh-bash-completion-2.62.0-1.1.s390x",
"product_id": "gh-bash-completion-2.62.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "gh-fish-completion-2.62.0-1.1.s390x",
"product": {
"name": "gh-fish-completion-2.62.0-1.1.s390x",
"product_id": "gh-fish-completion-2.62.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "gh-zsh-completion-2.62.0-1.1.s390x",
"product": {
"name": "gh-zsh-completion-2.62.0-1.1.s390x",
"product_id": "gh-zsh-completion-2.62.0-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "gh-2.62.0-1.1.x86_64",
"product": {
"name": "gh-2.62.0-1.1.x86_64",
"product_id": "gh-2.62.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "gh-bash-completion-2.62.0-1.1.x86_64",
"product": {
"name": "gh-bash-completion-2.62.0-1.1.x86_64",
"product_id": "gh-bash-completion-2.62.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "gh-fish-completion-2.62.0-1.1.x86_64",
"product": {
"name": "gh-fish-completion-2.62.0-1.1.x86_64",
"product_id": "gh-fish-completion-2.62.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "gh-zsh-completion-2.62.0-1.1.x86_64",
"product": {
"name": "gh-zsh-completion-2.62.0-1.1.x86_64",
"product_id": "gh-zsh-completion-2.62.0-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-2.62.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:gh-2.62.0-1.1.aarch64"
},
"product_reference": "gh-2.62.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-2.62.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:gh-2.62.0-1.1.ppc64le"
},
"product_reference": "gh-2.62.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-2.62.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:gh-2.62.0-1.1.s390x"
},
"product_reference": "gh-2.62.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-2.62.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:gh-2.62.0-1.1.x86_64"
},
"product_reference": "gh-2.62.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-bash-completion-2.62.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:gh-bash-completion-2.62.0-1.1.aarch64"
},
"product_reference": "gh-bash-completion-2.62.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-bash-completion-2.62.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:gh-bash-completion-2.62.0-1.1.ppc64le"
},
"product_reference": "gh-bash-completion-2.62.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-bash-completion-2.62.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:gh-bash-completion-2.62.0-1.1.s390x"
},
"product_reference": "gh-bash-completion-2.62.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-bash-completion-2.62.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:gh-bash-completion-2.62.0-1.1.x86_64"
},
"product_reference": "gh-bash-completion-2.62.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-fish-completion-2.62.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:gh-fish-completion-2.62.0-1.1.aarch64"
},
"product_reference": "gh-fish-completion-2.62.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-fish-completion-2.62.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:gh-fish-completion-2.62.0-1.1.ppc64le"
},
"product_reference": "gh-fish-completion-2.62.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-fish-completion-2.62.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:gh-fish-completion-2.62.0-1.1.s390x"
},
"product_reference": "gh-fish-completion-2.62.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-fish-completion-2.62.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:gh-fish-completion-2.62.0-1.1.x86_64"
},
"product_reference": "gh-fish-completion-2.62.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-zsh-completion-2.62.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:gh-zsh-completion-2.62.0-1.1.aarch64"
},
"product_reference": "gh-zsh-completion-2.62.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-zsh-completion-2.62.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:gh-zsh-completion-2.62.0-1.1.ppc64le"
},
"product_reference": "gh-zsh-completion-2.62.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-zsh-completion-2.62.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:gh-zsh-completion-2.62.0-1.1.s390x"
},
"product_reference": "gh-zsh-completion-2.62.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-zsh-completion-2.62.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:gh-zsh-completion-2.62.0-1.1.x86_64"
},
"product_reference": "gh-zsh-completion-2.62.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-52308",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-52308"
}
],
"notes": [
{
"category": "general",
"text": "The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using `gh codespace ssh` or `gh codespace logs` commands. This has been patched in the cli v2.62.0.\n\nDevelopers connect to remote codespaces through an SSH server running within the devcontainer, which is generally provided through the [default devcontainer image]( https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-... https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/introduction-to-dev-containers#using-the-default-dev-container-configuration) . GitHub CLI [retrieves SSH connection details]( https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/inv... https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/invoker.go#L230-L244 ), such as remote username, which is used in [executing `ssh` commands]( https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L2... https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L263 ) for `gh codespace ssh` or `gh codespace logs` commands.\n\nThis exploit occurs when a malicious third-party devcontainer contains a modified SSH server that injects `ssh` arguments within the SSH connection details. `gh codespace ssh` and `gh codespace logs` commands could execute arbitrary code on the user\u0027s workstation if the remote username contains something like `-oProxyCommand=\"echo hacked\" #`. The `-oProxyCommand` flag causes `ssh` to execute the provided command while `#` shell comment causes any other `ssh` arguments to be ignored.\n\nIn `2.62.0`, the remote username information is being validated before being used.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:gh-2.62.0-1.1.aarch64",
"openSUSE Tumbleweed:gh-2.62.0-1.1.ppc64le",
"openSUSE Tumbleweed:gh-2.62.0-1.1.s390x",
"openSUSE Tumbleweed:gh-2.62.0-1.1.x86_64",
"openSUSE Tumbleweed:gh-bash-completion-2.62.0-1.1.aarch64",
"openSUSE Tumbleweed:gh-bash-completion-2.62.0-1.1.ppc64le",
"openSUSE Tumbleweed:gh-bash-completion-2.62.0-1.1.s390x",
"openSUSE Tumbleweed:gh-bash-completion-2.62.0-1.1.x86_64",
"openSUSE Tumbleweed:gh-fish-completion-2.62.0-1.1.aarch64",
"openSUSE Tumbleweed:gh-fish-completion-2.62.0-1.1.ppc64le",
"openSUSE Tumbleweed:gh-fish-completion-2.62.0-1.1.s390x",
"openSUSE Tumbleweed:gh-fish-completion-2.62.0-1.1.x86_64",
"openSUSE Tumbleweed:gh-zsh-completion-2.62.0-1.1.aarch64",
"openSUSE Tumbleweed:gh-zsh-completion-2.62.0-1.1.ppc64le",
"openSUSE Tumbleweed:gh-zsh-completion-2.62.0-1.1.s390x",
"openSUSE Tumbleweed:gh-zsh-completion-2.62.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-52308",
"url": "https://www.suse.com/security/cve/CVE-2024-52308"
},
{
"category": "external",
"summary": "SUSE Bug 1233387 for CVE-2024-52308",
"url": "https://bugzilla.suse.com/1233387"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:gh-2.62.0-1.1.aarch64",
"openSUSE Tumbleweed:gh-2.62.0-1.1.ppc64le",
"openSUSE Tumbleweed:gh-2.62.0-1.1.s390x",
"openSUSE Tumbleweed:gh-2.62.0-1.1.x86_64",
"openSUSE Tumbleweed:gh-bash-completion-2.62.0-1.1.aarch64",
"openSUSE Tumbleweed:gh-bash-completion-2.62.0-1.1.ppc64le",
"openSUSE Tumbleweed:gh-bash-completion-2.62.0-1.1.s390x",
"openSUSE Tumbleweed:gh-bash-completion-2.62.0-1.1.x86_64",
"openSUSE Tumbleweed:gh-fish-completion-2.62.0-1.1.aarch64",
"openSUSE Tumbleweed:gh-fish-completion-2.62.0-1.1.ppc64le",
"openSUSE Tumbleweed:gh-fish-completion-2.62.0-1.1.s390x",
"openSUSE Tumbleweed:gh-fish-completion-2.62.0-1.1.x86_64",
"openSUSE Tumbleweed:gh-zsh-completion-2.62.0-1.1.aarch64",
"openSUSE Tumbleweed:gh-zsh-completion-2.62.0-1.1.ppc64le",
"openSUSE Tumbleweed:gh-zsh-completion-2.62.0-1.1.s390x",
"openSUSE Tumbleweed:gh-zsh-completion-2.62.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:gh-2.62.0-1.1.aarch64",
"openSUSE Tumbleweed:gh-2.62.0-1.1.ppc64le",
"openSUSE Tumbleweed:gh-2.62.0-1.1.s390x",
"openSUSE Tumbleweed:gh-2.62.0-1.1.x86_64",
"openSUSE Tumbleweed:gh-bash-completion-2.62.0-1.1.aarch64",
"openSUSE Tumbleweed:gh-bash-completion-2.62.0-1.1.ppc64le",
"openSUSE Tumbleweed:gh-bash-completion-2.62.0-1.1.s390x",
"openSUSE Tumbleweed:gh-bash-completion-2.62.0-1.1.x86_64",
"openSUSE Tumbleweed:gh-fish-completion-2.62.0-1.1.aarch64",
"openSUSE Tumbleweed:gh-fish-completion-2.62.0-1.1.ppc64le",
"openSUSE Tumbleweed:gh-fish-completion-2.62.0-1.1.s390x",
"openSUSE Tumbleweed:gh-fish-completion-2.62.0-1.1.x86_64",
"openSUSE Tumbleweed:gh-zsh-completion-2.62.0-1.1.aarch64",
"openSUSE Tumbleweed:gh-zsh-completion-2.62.0-1.1.ppc64le",
"openSUSE Tumbleweed:gh-zsh-completion-2.62.0-1.1.s390x",
"openSUSE Tumbleweed:gh-zsh-completion-2.62.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-11-18T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2024-52308"
}
]
}
OPENSUSE-SU-2025:0021-1
Vulnerability from csaf_opensuse - Published: 2025-01-22 10:02 - Updated: 2025-01-22 10:02Summary
Security update for gh
Severity
Important
Notes
Title of the patch: Security update for gh
Description of the patch: This update for gh fixes the following issues:
- Update to version 2.65.0:
* Bump cli/go-gh for indirect security vulnerability
* Panic mustParseTrackingRef if format is incorrect
* Move trackingRef into pr create package
* Make tryDetermineTrackingRef tests more respective of reality
* Rework tryDetermineTrackingRef tests
* Avoid pointer return from determineTrackingBranch
* Doc determineTrackingBranch
* Don't use pointer for determineTrackingBranch branchConfig
* Panic if tracking ref can't be reconstructed
* Document and rework pr create tracking branch lookup
* Upgrade generated workflows
* Fixed test for stdout in non-tty use case of repo fork
* Fix test
* Alternative: remove LocalBranch from BranchConfig
* Set LocalBranch even if the git config fails
* Add test for permissions check for security and analysis edits (#1)
* print repo url to stdout
* Update pkg/cmd/auth/login/login.go
* Move mention of classic token to correct line
* Separate type decrarations
* Add mention of classic token in gh auth login docs
* Update pkg/cmd/repo/create/create.go
* docs(repo): make explicit which branch is used when creating a repo
* fix(repo fork): add non-TTY output when fork is newly created
* Move api call to editRun
* Complete get -> list renaming
* Better error testing for autolink TestListRun
* Decode instead of unmarshal
* Use 'list' instead of 'get' for autolink list type and method
* Remove NewAutolinkClient
* Break out autolink list json fields test
* PR nits
* Refactor autolink subcommands into their own packages
* Whitespace
* Refactor out early return in test code
* Add testing for AutoLinkGetter
* Refactor autolink list and test to use http interface for simpler testing
* Apply PR comment changes
* Introduce repo autolinks list commands
* Remove release discussion posts and clean up related block in deployment yml
* Extract logic into helper function
* add pending status for workflow runs
* Feat: Allow setting security_and_analysis settings in gh repo edit
* Upgrade golang.org/x/net to v0.33.0
* Document SmartBaseRepoFunc
* Document BaseRepoFunc
* Update releasing.md
* Document how to set gh-merge-base
- Update to version 2.64.0:
* add test for different SAN and SourceRepositoryURI values
* add test for signerRepo and tenant
* add some more fields to test that san, sanregex are set properly
* Bump github.com/cpuguy83/go-md2man/v2 from 2.0.5 to 2.0.6
* update san and sanregex configuration for readability
* reduce duplication when creating policy content
* tweak output of build policy info
* Name conditionals in PR finder
* Support pr view for intra-org forks
* Return err instead of silentError in merge queue check
* linting pointed out this var is no longer used
* Removed fun, but inaccessible ASCII header
* further tweaks to the long description
* Exit on pr merge with `-d` and merge queue
* Addressed PR review feedback; expanded Long command help string, used ghrepo, clarified some abbreviations
* Update pkg/cmd/attestation/inspect/inspect.go
* Update gh auth commands to point to GitHub Docs
* Reformat ext install long
* Mention Windows quirk in ext install help text
* Fix error mishandling in local ext install
* Assert on err msg directly in ext install tests
* Clarify hosts in ext install help text
* Bump golang.org/x/crypto from 0.29.0 to 0.31.0
* Removed now redundant file
* minor tweak to language
* go mod tidy
* Deleted no-longer-used code.
* deleted now-invalid tests, added a tiny patina of new testing.
* Tightened up docs, deleted dead code, improved printing
* fix file name creation on windows
* wording
* hard code expected digest
* fix download test
* use bash shell with integration tests
* simplify var creation
* update integration test scripts
* fix: list branches in square brackets in gh codespace
* try nesting scripts
* run all tests in a single script
* windows for loop syntax
* use replaceAll
* update expected file path on windows
* run integration tests with windows specific syntax
* run all attestation cmd integration tests automatically
* Bump actions/attest-build-provenance from 1.4.4 to 2.1.0
* Improve error handling in apt setup script
* use different file name for attestation files on windows
* test(gh run): assert branch names are enclosed in square brackets
* docs: enhance help text and prompt for rename command
* Revert 'Confirm auto-detected base branch'
* Confirm auto-detected base branch
* Merge changes from #10004
* Set gh-merge-base from `issue develop`
* Open PR against gh-merge-base
* Refactor extension executable error handling
* fix: list branches in square brackets in gh run view (#10038)
* docs: update description of command
* style: reformat files
* docs: update sentence case
* use github owned oci image
* docs: add mention of scopes help topic in `auth refresh` command help
* docs: add mention of scopes help topic in `auth login` command help
* docs: add help topic for auth scopes
* docs: improve help for browse command
* docs: improve docs for browse command as of #5352
* fix package reference
* add gh attestation verify integration test for oci bundles
* add integration test for bundle-from-oci option
* update tests
* update tests
* move content of veriy policy options function into enforcement criteria
* comment
* try switch statement
* remove duplicate err checking
* get bundle issuer in another func
* more logic updating to remove nesting
* inverse logic for less nesting
* remove unneeded nesting
* wip, linting, getting tests to pass
* wording
* var naming
* drop table view
* order policy info so relevant info is printed next to each other
* Update pkg/cmd/attestation/verification/policy.go
* Update pkg/cmd/attestation/verification/policy.go
* Update pkg/cmd/attestation/verification/policy.go
* wip: added new printSummaryInspection
* Improve error handling for missing executable
* experiment with table output
* Assert stderr is empty in manager_test.go
* Update error message wording
* Change: exit zero, still print warning to stderr
* wording
* Improve docs on installing extensions
* Update language for missing extension executable
* Update test comments about Windows behavior
* wording
* wording
* wording
* add newlines for additional policy info
* Document requirements for local extensions
* Warn when installing local ext with no executable
* wording
* formatting
* print policy information before verifying
* add initial policy info method
* more wip poking around, now with table printing
* wip, gh at inspect will check the signature on the bundle
* wip: inspect now prints various bundle fields in a nice json
- Update to version 2.63.2:
* include alg with digest when fetching bundles from OCI
* Error for mutually exclusive json and watch flags
* Use safepaths for run download
* Use consistent slice ordering in run download tests
* Consolidate logic for isolating artifacts
* Fix PR checkout panic when base repo is not in remotes
* When renaming an existing remote in `gh repo fork`, log the change
* Improve DNF version clarity in install steps
* Fix formatting in client_test.go comments for linter
* Expand logic and tests to handle edge cases
* Refactor download testing, simpler file descends
* Bump github.com/gabriel-vasile/mimetype from 1.4.6 to 1.4.7
* Improve test names so there is no repetition
* Second attempt to address exploit
- Update to version 2.63.0:
* Add checkout test that uses ssh git remote url
* Rename backwards compatible credentials pattern
* Fix CredentialPattern doc typos
* Remove TODOs
* Fix typos and add tests for CredentialPatternFrom* functions
* Add SSH remote todo
* General cleanup and docs
* Allow repo sync fetch to use insecure credentials pattern
* Allow client fetch to use insecure credentials pattern
* Allow client push to use insecure credential pattern
* Allow client pull to use insecure credential pattern
* Allow opt-in to insecure pattern
* Support secure credential pattern
* Refactor error handling for missing 'workflow' scope in createRelease
* ScopesResponder wraps StatusScopesResponder
* Refactor `workflow` scope checking
* pr feedback
* pr feedback
* Update pkg/cmd/attestation/verify/attestation_integration_test.go
* Apply suggestions from code review
* Refactor command documentation to use heredoc
* pr feedback
* remove unused test file
* undo change
* add more testing testing fixtures
* update test with new test bundle
* naming
* update test
* update test
* Fix README.md code block formatting
* clean up
* wrap sigstore and cert ext verification into a single function
* Adding option to return `baseRefOid` in `pr view`
* verify cert extensions function should return filtered result list
* pr feedback
* Update pkg/cmd/attestation/download/download.go
* fix function param calls
* Update pkg/cmd/attestation/verification/extensions.go
* Formatting fix
* Updated formatting to be more clear
* Updated markdown syntax for a `note`.
* Added a section on manual verification of the relases.
* Handle missing 'workflow' scope in createRelease
* Modify push prompt on repo create when bare
* Doc push behaviour for bare repo create
* Push --mirror on bare repo create
* Add acceptance test for bare repo create
* Doc isLocalRepo and git.Client IsLocalRepo differences
* Use errWithExitCode interface in repo create isLocalRepo
* Backfill repo creation failure tests
* Support bare repo creation
* use logger println method
* simplify verifyCertExtensions
* rename type
* refactor fetch attestations funcs
- Update to version 2.62.0
* CVE-2024-52308: remote code execution (RCE) when users connect
to a malicious Codespace SSH server and use the gh codespace
ssh or gh codespace logs commands
(boo#1233387, GHSA-p2h2-3vg9-4p87)
* Check extension for latest version when executed
* Shorten extension release checking from 3s to 1s
- includes changes from 2.61.0:
* Enhance gh repo edit command to inform users about
consequences of changing visibility and ensure users are
intentional before making irreversible changes
- Update to version 2.60.1:
* Note token redaction in Acceptance test README
* Refactor gpg-key delete to align with ssh-key delete
* Add acceptance tests for org command
* Adjust environment help for host and tokens (#9809)
* Add SSH Key Acceptance test
* Add Acceptance test for label command
* Add acceptance test for gpg-key
* Update go-internal to redact more token types in Acceptance tests
* Address PR feedback
* Clarify `gh` is available for GitHub Enterprise Cloud
* Remove comment from gh auth logout
* Add acceptance tests for auth-setup-git and formattedStringToEnv helper func
* Use forked testscript for token redaction
* Use new GitHub preview terms in working-with-us.md
* Use new GitHub previews terminology in attestation
* Test json flags for repo view and list
* Clean up auth-login-logout acceptance test with native functionality
* Add --token flag to `gh auth login` to accept a PAT as a flag
* Setup acceptance testing for auth and tests for auth-token and auth-status
* Update variable testscripts based on secret
* Check extOwner for no value instead
* Fix tests for invalid extension name
* Refactor to remove code duplication
* Linting: now that mockDataGenerator has an embedded mock, we ought to have pointer receivers in its funcs.
* Minor tweaks, added backoff to getTrustDomain
* added test for verifying we do 3 retries when fetching attestations.
* Fix single quote not expanding vars
* Added constant backoff retry to getAttestations.
* Address @williammartin PR feedback
* wip: added test that fails in the absence of a backoff.
* add validation for local ext install
* feat: add ArchivedAt field to Repository struct
* Refactor `gh secret` testscript
* Wrap true in '' in repo-fork-sync
* Rename acceptance test directory from repos to repo
* Remove unnecessary flags from repo-delete testscript
* Replace LICENSE Makefile README.md acceptance api bin build cmd context docs git go.mod go.sum internal pkg script share test utils commands with
* Wrap boolean strings in '' so it is clear they are strings
* Remove unnecessary gh auth setup-git steps
* Cleanup some inconsistencies and improve collapse some functionality
* Add acceptance tests for repo deploy-key add/list/delete
* Add acceptance tests for repo-fork and repo-sync
* Add acceptance test for repo-set-default
* Add acceptance test for repo-edit
* Add acceptance tests for repo-list and repo-rename
* Acceptance testing for repo-archive and repo-unarchive
* Add acceptance test for repo-clone
* Added acceptance test for repo-delete
* Added test function for repos and repo-create test
* Implement acceptance tests for search commands
* Remove . from test case for TestTitleSurvey
* Clean up Title Survey empty title message code
* Add missing test to trigger acceptance tests
* Add acceptance tests for `gh variable`
* Minor polish / consistency
* Fix typo in custom command doc
* Refactor env2upper, env2lower; add docs
* Update secret note about potential failure
* Add testscripts for `gh secret`, helper cmds
* Remove stdout assertion from release
* Rename test files
* Add acceptance tests for `release` commands
* Implement basic API acceptance test
* Remove unnecesary mkdir from download Acceptance test
* Remove empty stdout checks
* Adjust sleeps to echos in Acceptance workflows
* Use regex assert for enable disable workflow Acceptance test
* Watch for run to end for cancel Acceptance test
* Include startedAt, completedAt in run steps data
* Rewrite a sentence in CONTRIBUTING.md
* Add filtered content output to docs
* sleep 10s before checking for workflow run
* Update run-rerun.txtar
* Create cache-list-delete.txtar
* Create run-view.txtar
* Create run-rerun.txtar
* Create run-download.txtar
* Create run-delete.txtar
* Remove IsTenancy and relevant tests from gists as they are unsupported
* Remove unnecessary code branches
* Add ghe.com to tests describing ghec data residency
* Remove comment
* auth: Removed redundant ghauth.IsTenancy(host) check
* Use go-gh/auth package for IsEnterprise, IsTenancy, and NormalizeHostname
* Upgrade go-gh version to 2.11.0
* Add test coverage to places where IsEnterprise incorrectly covers Tenancy
* Fix issue creation with metadata regex
* Create run-cancel.txtar
* Create workflow-run.txtar
* Create workflow-view.txtar
* implement workflow enable/disable acceptance test
* implement base workflow list acceptance test
* Add comment to acceptance make target
* Resolve PR feedback
* Acceptance test issue command
* Support GH_ACCEPTANCE_SCRIPT
* Ensure Acceptance defer failures are debuggable
* Add acceptance task to makefile
* build(deps): bump github.com/gabriel-vasile/mimetype from 1.4.5 to 1.4.6
* Ensure pr create with metadata has assignment
* Document sharedCmds func in acceptance tests
* Correct testscript description in Acceptance readme
* Add link to testscript pkg documentation
* Add VSCode extension links to Acceptance README
* Fix GH_HOST / GH_ACCEPTANCE_HOST misuse
* Acceptance test PR list
* Support skipping Acceptance test cleanup
* Acceptance test PR creation with metadata
* Suggest using legacy PAT for acceptance tests
* Add host recommendation to Acceptance test docs
* Don't append remaining text if more matches
* Highlight matches in table and content
* Split all newlines, and output no-color to non-TTY
* Print filtered gists similar to code search
* Show progress when filtering
* Simplify description
* Disallow use of --include-content without --filter
* Improve help docs
* Refactor filtering into existing `gist list`
* Improve performance
* Add `gist search` command
* Fix api tests after function signature changes
* Return nil instead of empty objects when err
* Fix license list and view tests
* Validate required env vars not-empty for Acceptance tests
* Add go to test instructions in Acceptance README
* Apply suggestions from code review
* Error if acceptance tests are targeting github or cli orgs
* Add codecoverage to Acceptance README
* Isolate acceptance env vars
* Add Writing Tests section to Acceptance README
* Add Debug and Authoring sections to Acceptance README
* Acceptance test PR comment
* Acceptance test PR merge and rebase
* Note syntax highlighting support for txtar files
* Refactor acceptance test environment handling
* Add initial acceptance test README
* Use txtar extension for testscripts
* Support targeting other hosts in acceptance tests
* Use stdout2env in PR acceptance tests
* Acceptance test PR checkout
* Add pr view test script
* Initial testscript introduction
* While we're at it, let's ensure VerifyCertExtensions can't be tricked the same way.
* Add examples for creating `.gitignore` files
* Update help for license view
* Refactor http error handling
* implement `--web` flag for license view
* Fix license view help doc, add LICENSE.md example
* Update help and fix heredoc indentation
* Add SPDX ID to license list output
* Fix ExactArgs invocation
* Add `Long` for license list indicating limitations
* Update function names
* Reverse repo/shared package name change
* If provided with zero attestations to verify, the LiveSigstoreVerifier.Verify func should return an error.
* Bump cli/oauth to 1.1.1
* Add test coverage for TitleSurvey change
* Fix failing test for pr and issue create
* Make the X in the error message red and print with io writer
* Handle errors from parsing hostname in auth flow
* Apply suggestions from code review
* Refactor tests and add new tests
* Move API calls to queries_repo.go
* Allow user to override markdown wrap width via $GH_MDWIDTH from environment
* Add handling of empty titles for Issues and PRs
* Print the login URL even when opening a browser
* Apply suggestions from code review
* Update SECURITY.md
* Fix typo and wordsmithing
* fix typo
* Remove trailing space from heading
* Revise wording
* Update docs to allow community submitted designs
* Implement license view
* Implement gitignore view
* implement gitignore list
* Update license table headings and tests
* Fix ListLicenseTemplates doc
* fix output capitalization
* Cleanup rendering and tests
* Remove json output option
* Divide shared repo package and add queries tests
* First pass at implementing `gh repo license list`
* Emit a log message when extension installation falls back to a darwin-amd64 binary on an Apple Silicon macOS machine
- Update to version 2.58.0:
* build(deps): bump github.com/theupdateframework/go-tuf/v2
* Include `dnf5` commands
* Add GPG key instructions to appropriate sections
* Update docs language to remove possible confusion around 'where you log in'
* Change conditional in promptForHostname to better reflect prompter changes
* Shorten language on Authenticate with a GitHub host.
* Update language on docstring for `gh auth login`
* Change prompts for `gh auth login` to reflect change from GHE to Other
* Sentence case 'Other' option in hostname prompt
* build(deps): bump github.com/henvic/httpretty from 0.1.3 to 0.1.4
* Add documentation explaining how to use `hostname` for `gh auth login`
* Replace 'GitHub Enterprise Server' with 'other' in `gh auth login` prompt
* fix tenant-awareness for trusted-root command
* Fix test
* Update pkg/cmd/extension/manager.go
* Update comment formatting
* Use new HasActiveToken method in trustedroot.go
* Add HasActiveToken method to AuthConfig interface
* Add HasActiveToken to AuthConfig.
* Improve error presentation
* Improve the suggested command for creating an issue when an extension doesn't have a binary for your platform
* Update pkg/cmd/attestation/trustedroot/trustedroot_test.go
* build(deps): bump github.com/cpuguy83/go-md2man/v2 from 2.0.4 to 2.0.5
* enforce auth for tenancy
* disable auth check for att trusted-root cmd
* better error for att verify custom issuer mismatch
* Enhance gh repo create docs, fix random cmd link
Patchnames: openSUSE-2025-21
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
9.6 (Critical)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
| URL | Category | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for gh",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for gh fixes the following issues:\n\n- Update to version 2.65.0:\n * Bump cli/go-gh for indirect security vulnerability\n * Panic mustParseTrackingRef if format is incorrect\n * Move trackingRef into pr create package\n * Make tryDetermineTrackingRef tests more respective of reality\n * Rework tryDetermineTrackingRef tests\n * Avoid pointer return from determineTrackingBranch\n * Doc determineTrackingBranch\n * Don\u0027t use pointer for determineTrackingBranch branchConfig\n * Panic if tracking ref can\u0027t be reconstructed\n * Document and rework pr create tracking branch lookup\n * Upgrade generated workflows\n * Fixed test for stdout in non-tty use case of repo fork\n * Fix test\n * Alternative: remove LocalBranch from BranchConfig\n * Set LocalBranch even if the git config fails\n * Add test for permissions check for security and analysis edits (#1)\n * print repo url to stdout\n * Update pkg/cmd/auth/login/login.go\n * Move mention of classic token to correct line\n * Separate type decrarations\n * Add mention of classic token in gh auth login docs\n * Update pkg/cmd/repo/create/create.go\n * docs(repo): make explicit which branch is used when creating a repo\n * fix(repo fork): add non-TTY output when fork is newly created\n * Move api call to editRun\n * Complete get -\u003e list renaming\n * Better error testing for autolink TestListRun\n * Decode instead of unmarshal\n * Use \u0027list\u0027 instead of \u0027get\u0027 for autolink list type and method\n * Remove NewAutolinkClient\n * Break out autolink list json fields test\n * PR nits\n * Refactor autolink subcommands into their own packages\n * Whitespace\n * Refactor out early return in test code\n * Add testing for AutoLinkGetter\n * Refactor autolink list and test to use http interface for simpler testing\n * Apply PR comment changes\n * Introduce repo autolinks list commands\n * Remove release discussion posts and clean up related block in deployment yml\n * Extract logic into helper function\n * add pending status for workflow runs\n * Feat: Allow setting security_and_analysis settings in gh repo edit\n * Upgrade golang.org/x/net to v0.33.0\n * Document SmartBaseRepoFunc\n * Document BaseRepoFunc\n * Update releasing.md\n * Document how to set gh-merge-base\n\n- Update to version 2.64.0:\n * add test for different SAN and SourceRepositoryURI values\n * add test for signerRepo and tenant\n * add some more fields to test that san, sanregex are set properly\n * Bump github.com/cpuguy83/go-md2man/v2 from 2.0.5 to 2.0.6\n * update san and sanregex configuration for readability\n * reduce duplication when creating policy content\n * tweak output of build policy info\n * Name conditionals in PR finder\n * Support pr view for intra-org forks\n * Return err instead of silentError in merge queue check\n * linting pointed out this var is no longer used\n * Removed fun, but inaccessible ASCII header\n * further tweaks to the long description\n * Exit on pr merge with `-d` and merge queue\n * Addressed PR review feedback; expanded Long command help string, used ghrepo, clarified some abbreviations\n * Update pkg/cmd/attestation/inspect/inspect.go\n * Update gh auth commands to point to GitHub Docs\n * Reformat ext install long\n * Mention Windows quirk in ext install help text\n * Fix error mishandling in local ext install\n * Assert on err msg directly in ext install tests\n * Clarify hosts in ext install help text\n * Bump golang.org/x/crypto from 0.29.0 to 0.31.0\n * Removed now redundant file\n * minor tweak to language\n * go mod tidy\n * Deleted no-longer-used code.\n * deleted now-invalid tests, added a tiny patina of new testing.\n * Tightened up docs, deleted dead code, improved printing\n * fix file name creation on windows\n * wording\n * hard code expected digest\n * fix download test\n * use bash shell with integration tests\n * simplify var creation\n * update integration test scripts\n * fix: list branches in square brackets in gh codespace\n * try nesting scripts\n * run all tests in a single script\n * windows for loop syntax\n * use replaceAll\n * update expected file path on windows\n * run integration tests with windows specific syntax\n * run all attestation cmd integration tests automatically\n * Bump actions/attest-build-provenance from 1.4.4 to 2.1.0\n * Improve error handling in apt setup script\n * use different file name for attestation files on windows\n * test(gh run): assert branch names are enclosed in square brackets\n * docs: enhance help text and prompt for rename command\n * Revert \u0027Confirm auto-detected base branch\u0027\n * Confirm auto-detected base branch\n * Merge changes from #10004\n * Set gh-merge-base from `issue develop`\n * Open PR against gh-merge-base\n * Refactor extension executable error handling\n * fix: list branches in square brackets in gh run view (#10038)\n * docs: update description of command\n * style: reformat files\n * docs: update sentence case\n * use github owned oci image\n * docs: add mention of scopes help topic in `auth refresh` command help\n * docs: add mention of scopes help topic in `auth login` command help\n * docs: add help topic for auth scopes\n * docs: improve help for browse command\n * docs: improve docs for browse command as of #5352\n * fix package reference\n * add gh attestation verify integration test for oci bundles\n * add integration test for bundle-from-oci option\n * update tests\n * update tests\n * move content of veriy policy options function into enforcement criteria\n * comment\n * try switch statement\n * remove duplicate err checking\n * get bundle issuer in another func\n * more logic updating to remove nesting\n * inverse logic for less nesting\n * remove unneeded nesting\n * wip, linting, getting tests to pass\n * wording\n * var naming\n * drop table view\n * order policy info so relevant info is printed next to each other\n * Update pkg/cmd/attestation/verification/policy.go\n * Update pkg/cmd/attestation/verification/policy.go\n * Update pkg/cmd/attestation/verification/policy.go\n * wip: added new printSummaryInspection\n * Improve error handling for missing executable\n * experiment with table output\n * Assert stderr is empty in manager_test.go\n * Update error message wording\n * Change: exit zero, still print warning to stderr\n * wording\n * Improve docs on installing extensions\n * Update language for missing extension executable\n * Update test comments about Windows behavior\n * wording\n * wording\n * wording\n * add newlines for additional policy info\n * Document requirements for local extensions\n * Warn when installing local ext with no executable\n * wording\n * formatting\n * print policy information before verifying\n * add initial policy info method\n * more wip poking around, now with table printing\n * wip, gh at inspect will check the signature on the bundle\n * wip: inspect now prints various bundle fields in a nice json\n\n- Update to version 2.63.2:\n\n * include alg with digest when fetching bundles from OCI\n * Error for mutually exclusive json and watch flags\n * Use safepaths for run download\n * Use consistent slice ordering in run download tests\n * Consolidate logic for isolating artifacts\n * Fix PR checkout panic when base repo is not in remotes\n * When renaming an existing remote in `gh repo fork`, log the change\n * Improve DNF version clarity in install steps\n * Fix formatting in client_test.go comments for linter\n * Expand logic and tests to handle edge cases\n * Refactor download testing, simpler file descends\n * Bump github.com/gabriel-vasile/mimetype from 1.4.6 to 1.4.7\n * Improve test names so there is no repetition\n * Second attempt to address exploit\n\n- Update to version 2.63.0:\n\n * Add checkout test that uses ssh git remote url\n * Rename backwards compatible credentials pattern\n * Fix CredentialPattern doc typos\n * Remove TODOs\n * Fix typos and add tests for CredentialPatternFrom* functions\n * Add SSH remote todo\n * General cleanup and docs\n * Allow repo sync fetch to use insecure credentials pattern\n * Allow client fetch to use insecure credentials pattern\n * Allow client push to use insecure credential pattern\n * Allow client pull to use insecure credential pattern\n * Allow opt-in to insecure pattern\n * Support secure credential pattern\n * Refactor error handling for missing \u0027workflow\u0027 scope in createRelease\n * ScopesResponder wraps StatusScopesResponder\n * Refactor `workflow` scope checking\n * pr feedback\n * pr feedback\n * Update pkg/cmd/attestation/verify/attestation_integration_test.go\n * Apply suggestions from code review\n * Refactor command documentation to use heredoc\n * pr feedback\n * remove unused test file\n * undo change\n * add more testing testing fixtures\n * update test with new test bundle\n * naming\n * update test\n * update test\n * Fix README.md code block formatting\n * clean up\n * wrap sigstore and cert ext verification into a single function\n * Adding option to return `baseRefOid` in `pr view`\n * verify cert extensions function should return filtered result list\n * pr feedback\n * Update pkg/cmd/attestation/download/download.go\n * fix function param calls\n * Update pkg/cmd/attestation/verification/extensions.go\n * Formatting fix\n * Updated formatting to be more clear\n * Updated markdown syntax for a `note`.\n * Added a section on manual verification of the relases.\n * Handle missing \u0027workflow\u0027 scope in createRelease\n * Modify push prompt on repo create when bare\n * Doc push behaviour for bare repo create\n * Push --mirror on bare repo create\n * Add acceptance test for bare repo create\n * Doc isLocalRepo and git.Client IsLocalRepo differences\n * Use errWithExitCode interface in repo create isLocalRepo\n * Backfill repo creation failure tests\n * Support bare repo creation\n * use logger println method\n * simplify verifyCertExtensions\n * rename type\n * refactor fetch attestations funcs\n\n- Update to version 2.62.0\n * CVE-2024-52308: remote code execution (RCE) when users connect\n to a malicious Codespace SSH server and use the gh codespace\n ssh or gh codespace logs commands\n (boo#1233387, GHSA-p2h2-3vg9-4p87)\n * Check extension for latest version when executed\n * Shorten extension release checking from 3s to 1s\n\n- includes changes from 2.61.0:\n * Enhance gh repo edit command to inform users about\n consequences of changing visibility and ensure users are\n intentional before making irreversible changes\n\n- Update to version 2.60.1:\n\n * Note token redaction in Acceptance test README\n * Refactor gpg-key delete to align with ssh-key delete\n * Add acceptance tests for org command\n * Adjust environment help for host and tokens (#9809)\n * Add SSH Key Acceptance test\n * Add Acceptance test for label command\n * Add acceptance test for gpg-key\n * Update go-internal to redact more token types in Acceptance tests\n * Address PR feedback\n * Clarify `gh` is available for GitHub Enterprise Cloud\n * Remove comment from gh auth logout\n * Add acceptance tests for auth-setup-git and formattedStringToEnv helper func\n * Use forked testscript for token redaction\n * Use new GitHub preview terms in working-with-us.md\n * Use new GitHub previews terminology in attestation\n * Test json flags for repo view and list\n * Clean up auth-login-logout acceptance test with native functionality\n * Add --token flag to `gh auth login` to accept a PAT as a flag\n * Setup acceptance testing for auth and tests for auth-token and auth-status\n * Update variable testscripts based on secret\n * Check extOwner for no value instead\n * Fix tests for invalid extension name\n * Refactor to remove code duplication\n * Linting: now that mockDataGenerator has an embedded mock, we ought to have pointer receivers in its funcs.\n * Minor tweaks, added backoff to getTrustDomain\n * added test for verifying we do 3 retries when fetching attestations.\n * Fix single quote not expanding vars\n * Added constant backoff retry to getAttestations.\n * Address @williammartin PR feedback\n * wip: added test that fails in the absence of a backoff.\n * add validation for local ext install\n * feat: add ArchivedAt field to Repository struct\n * Refactor `gh secret` testscript\n * Wrap true in \u0027\u0027 in repo-fork-sync\n * Rename acceptance test directory from repos to repo\n * Remove unnecessary flags from repo-delete testscript\n * Replace LICENSE Makefile README.md acceptance api bin build cmd context docs git go.mod go.sum internal pkg script share test utils commands with\n * Wrap boolean strings in \u0027\u0027 so it is clear they are strings\n * Remove unnecessary gh auth setup-git steps\n * Cleanup some inconsistencies and improve collapse some functionality\n * Add acceptance tests for repo deploy-key add/list/delete\n * Add acceptance tests for repo-fork and repo-sync\n * Add acceptance test for repo-set-default\n * Add acceptance test for repo-edit\n * Add acceptance tests for repo-list and repo-rename\n * Acceptance testing for repo-archive and repo-unarchive\n * Add acceptance test for repo-clone\n * Added acceptance test for repo-delete\n * Added test function for repos and repo-create test\n * Implement acceptance tests for search commands\n * Remove . from test case for TestTitleSurvey\n * Clean up Title Survey empty title message code\n * Add missing test to trigger acceptance tests\n * Add acceptance tests for `gh variable`\n * Minor polish / consistency\n * Fix typo in custom command doc\n * Refactor env2upper, env2lower; add docs\n * Update secret note about potential failure\n * Add testscripts for `gh secret`, helper cmds\n * Remove stdout assertion from release\n * Rename test files\n * Add acceptance tests for `release` commands\n * Implement basic API acceptance test\n * Remove unnecesary mkdir from download Acceptance test\n * Remove empty stdout checks\n * Adjust sleeps to echos in Acceptance workflows\n * Use regex assert for enable disable workflow Acceptance test\n * Watch for run to end for cancel Acceptance test\n * Include startedAt, completedAt in run steps data\n * Rewrite a sentence in CONTRIBUTING.md\n * Add filtered content output to docs\n * sleep 10s before checking for workflow run\n * Update run-rerun.txtar\n * Create cache-list-delete.txtar\n * Create run-view.txtar\n * Create run-rerun.txtar\n * Create run-download.txtar\n * Create run-delete.txtar\n * Remove IsTenancy and relevant tests from gists as they are unsupported\n * Remove unnecessary code branches\n * Add ghe.com to tests describing ghec data residency\n * Remove comment\n * auth: Removed redundant ghauth.IsTenancy(host) check\n * Use go-gh/auth package for IsEnterprise, IsTenancy, and NormalizeHostname\n * Upgrade go-gh version to 2.11.0\n * Add test coverage to places where IsEnterprise incorrectly covers Tenancy\n * Fix issue creation with metadata regex\n * Create run-cancel.txtar\n * Create workflow-run.txtar\n * Create workflow-view.txtar\n * implement workflow enable/disable acceptance test\n * implement base workflow list acceptance test\n * Add comment to acceptance make target\n * Resolve PR feedback\n * Acceptance test issue command\n * Support GH_ACCEPTANCE_SCRIPT\n * Ensure Acceptance defer failures are debuggable\n * Add acceptance task to makefile\n * build(deps): bump github.com/gabriel-vasile/mimetype from 1.4.5 to 1.4.6\n * Ensure pr create with metadata has assignment\n * Document sharedCmds func in acceptance tests\n * Correct testscript description in Acceptance readme\n * Add link to testscript pkg documentation\n * Add VSCode extension links to Acceptance README\n * Fix GH_HOST / GH_ACCEPTANCE_HOST misuse\n * Acceptance test PR list\n * Support skipping Acceptance test cleanup\n * Acceptance test PR creation with metadata\n * Suggest using legacy PAT for acceptance tests\n * Add host recommendation to Acceptance test docs\n * Don\u0027t append remaining text if more matches\n * Highlight matches in table and content\n * Split all newlines, and output no-color to non-TTY\n * Print filtered gists similar to code search\n * Show progress when filtering\n * Simplify description\n * Disallow use of --include-content without --filter\n * Improve help docs\n * Refactor filtering into existing `gist list`\n * Improve performance\n * Add `gist search` command\n * Fix api tests after function signature changes\n * Return nil instead of empty objects when err\n * Fix license list and view tests\n * Validate required env vars not-empty for Acceptance tests\n * Add go to test instructions in Acceptance README\n * Apply suggestions from code review\n * Error if acceptance tests are targeting github or cli orgs\n * Add codecoverage to Acceptance README\n * Isolate acceptance env vars\n * Add Writing Tests section to Acceptance README\n * Add Debug and Authoring sections to Acceptance README\n * Acceptance test PR comment\n * Acceptance test PR merge and rebase\n * Note syntax highlighting support for txtar files\n * Refactor acceptance test environment handling\n * Add initial acceptance test README\n * Use txtar extension for testscripts\n * Support targeting other hosts in acceptance tests\n * Use stdout2env in PR acceptance tests\n * Acceptance test PR checkout\n * Add pr view test script\n * Initial testscript introduction\n * While we\u0027re at it, let\u0027s ensure VerifyCertExtensions can\u0027t be tricked the same way.\n * Add examples for creating `.gitignore` files\n * Update help for license view\n * Refactor http error handling\n * implement `--web` flag for license view\n * Fix license view help doc, add LICENSE.md example\n * Update help and fix heredoc indentation\n * Add SPDX ID to license list output\n * Fix ExactArgs invocation\n * Add `Long` for license list indicating limitations\n * Update function names\n * Reverse repo/shared package name change\n * If provided with zero attestations to verify, the LiveSigstoreVerifier.Verify func should return an error.\n * Bump cli/oauth to 1.1.1\n * Add test coverage for TitleSurvey change\n * Fix failing test for pr and issue create\n * Make the X in the error message red and print with io writer\n * Handle errors from parsing hostname in auth flow\n * Apply suggestions from code review\n * Refactor tests and add new tests\n * Move API calls to queries_repo.go\n * Allow user to override markdown wrap width via $GH_MDWIDTH from environment\n * Add handling of empty titles for Issues and PRs\n * Print the login URL even when opening a browser\n * Apply suggestions from code review\n * Update SECURITY.md\n * Fix typo and wordsmithing\n * fix typo\n * Remove trailing space from heading\n * Revise wording\n * Update docs to allow community submitted designs\n * Implement license view\n * Implement gitignore view\n * implement gitignore list\n * Update license table headings and tests\n * Fix ListLicenseTemplates doc\n * fix output capitalization\n * Cleanup rendering and tests\n * Remove json output option\n * Divide shared repo package and add queries tests\n * First pass at implementing `gh repo license list`\n * Emit a log message when extension installation falls back to a darwin-amd64 binary on an Apple Silicon macOS machine\n\n- Update to version 2.58.0:\n * build(deps): bump github.com/theupdateframework/go-tuf/v2\n * Include `dnf5` commands\n * Add GPG key instructions to appropriate sections\n * Update docs language to remove possible confusion around \u0027where you log in\u0027\n * Change conditional in promptForHostname to better reflect prompter changes\n * Shorten language on Authenticate with a GitHub host.\n * Update language on docstring for `gh auth login`\n * Change prompts for `gh auth login` to reflect change from GHE to Other\n * Sentence case \u0027Other\u0027 option in hostname prompt\n * build(deps): bump github.com/henvic/httpretty from 0.1.3 to 0.1.4\n * Add documentation explaining how to use `hostname` for `gh auth login`\n * Replace \u0027GitHub Enterprise Server\u0027 with \u0027other\u0027 in `gh auth login` prompt\n * fix tenant-awareness for trusted-root command\n * Fix test\n * Update pkg/cmd/extension/manager.go\n * Update comment formatting\n * Use new HasActiveToken method in trustedroot.go\n * Add HasActiveToken method to AuthConfig interface\n * Add HasActiveToken to AuthConfig.\n * Improve error presentation\n * Improve the suggested command for creating an issue when an extension doesn\u0027t have a binary for your platform\n * Update pkg/cmd/attestation/trustedroot/trustedroot_test.go\n * build(deps): bump github.com/cpuguy83/go-md2man/v2 from 2.0.4 to 2.0.5\n * enforce auth for tenancy\n * disable auth check for att trusted-root cmd\n * better error for att verify custom issuer mismatch\n * Enhance gh repo create docs, fix random cmd link\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2025-21",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_0021-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2025:0021-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HUMKXZZVR2XTEF5OINR7OTNWNR5IVCYQ/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2025:0021-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HUMKXZZVR2XTEF5OINR7OTNWNR5IVCYQ/"
},
{
"category": "self",
"summary": "SUSE Bug 1233387",
"url": "https://bugzilla.suse.com/1233387"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-52308 page",
"url": "https://www.suse.com/security/cve/CVE-2024-52308/"
}
],
"title": "Security update for gh",
"tracking": {
"current_release_date": "2025-01-22T10:02:08Z",
"generator": {
"date": "2025-01-22T10:02:08Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:0021-1",
"initial_release_date": "2025-01-22T10:02:08Z",
"revision_history": [
{
"date": "2025-01-22T10:02:08Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "gh-2.65.0-bp156.2.17.1.aarch64",
"product": {
"name": "gh-2.65.0-bp156.2.17.1.aarch64",
"product_id": "gh-2.65.0-bp156.2.17.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "gh-2.65.0-bp156.2.17.1.i586",
"product": {
"name": "gh-2.65.0-bp156.2.17.1.i586",
"product_id": "gh-2.65.0-bp156.2.17.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "gh-bash-completion-2.65.0-bp156.2.17.1.noarch",
"product": {
"name": "gh-bash-completion-2.65.0-bp156.2.17.1.noarch",
"product_id": "gh-bash-completion-2.65.0-bp156.2.17.1.noarch"
}
},
{
"category": "product_version",
"name": "gh-fish-completion-2.65.0-bp156.2.17.1.noarch",
"product": {
"name": "gh-fish-completion-2.65.0-bp156.2.17.1.noarch",
"product_id": "gh-fish-completion-2.65.0-bp156.2.17.1.noarch"
}
},
{
"category": "product_version",
"name": "gh-zsh-completion-2.65.0-bp156.2.17.1.noarch",
"product": {
"name": "gh-zsh-completion-2.65.0-bp156.2.17.1.noarch",
"product_id": "gh-zsh-completion-2.65.0-bp156.2.17.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "gh-2.65.0-bp156.2.17.1.ppc64le",
"product": {
"name": "gh-2.65.0-bp156.2.17.1.ppc64le",
"product_id": "gh-2.65.0-bp156.2.17.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "gh-2.65.0-bp156.2.17.1.s390x",
"product": {
"name": "gh-2.65.0-bp156.2.17.1.s390x",
"product_id": "gh-2.65.0-bp156.2.17.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "gh-2.65.0-bp156.2.17.1.x86_64",
"product": {
"name": "gh-2.65.0-bp156.2.17.1.x86_64",
"product_id": "gh-2.65.0-bp156.2.17.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP6",
"product": {
"name": "SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6"
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-2.65.0-bp156.2.17.1.aarch64 as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.aarch64"
},
"product_reference": "gh-2.65.0-bp156.2.17.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-2.65.0-bp156.2.17.1.i586 as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.i586"
},
"product_reference": "gh-2.65.0-bp156.2.17.1.i586",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-2.65.0-bp156.2.17.1.ppc64le as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.ppc64le"
},
"product_reference": "gh-2.65.0-bp156.2.17.1.ppc64le",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-2.65.0-bp156.2.17.1.s390x as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.s390x"
},
"product_reference": "gh-2.65.0-bp156.2.17.1.s390x",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-2.65.0-bp156.2.17.1.x86_64 as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.x86_64"
},
"product_reference": "gh-2.65.0-bp156.2.17.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-bash-completion-2.65.0-bp156.2.17.1.noarch as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:gh-bash-completion-2.65.0-bp156.2.17.1.noarch"
},
"product_reference": "gh-bash-completion-2.65.0-bp156.2.17.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-fish-completion-2.65.0-bp156.2.17.1.noarch as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:gh-fish-completion-2.65.0-bp156.2.17.1.noarch"
},
"product_reference": "gh-fish-completion-2.65.0-bp156.2.17.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-zsh-completion-2.65.0-bp156.2.17.1.noarch as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:gh-zsh-completion-2.65.0-bp156.2.17.1.noarch"
},
"product_reference": "gh-zsh-completion-2.65.0-bp156.2.17.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-2.65.0-bp156.2.17.1.aarch64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.aarch64"
},
"product_reference": "gh-2.65.0-bp156.2.17.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-2.65.0-bp156.2.17.1.i586 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.i586"
},
"product_reference": "gh-2.65.0-bp156.2.17.1.i586",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-2.65.0-bp156.2.17.1.ppc64le as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.ppc64le"
},
"product_reference": "gh-2.65.0-bp156.2.17.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-2.65.0-bp156.2.17.1.s390x as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.s390x"
},
"product_reference": "gh-2.65.0-bp156.2.17.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-2.65.0-bp156.2.17.1.x86_64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.x86_64"
},
"product_reference": "gh-2.65.0-bp156.2.17.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-bash-completion-2.65.0-bp156.2.17.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:gh-bash-completion-2.65.0-bp156.2.17.1.noarch"
},
"product_reference": "gh-bash-completion-2.65.0-bp156.2.17.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-fish-completion-2.65.0-bp156.2.17.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:gh-fish-completion-2.65.0-bp156.2.17.1.noarch"
},
"product_reference": "gh-fish-completion-2.65.0-bp156.2.17.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "gh-zsh-completion-2.65.0-bp156.2.17.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:gh-zsh-completion-2.65.0-bp156.2.17.1.noarch"
},
"product_reference": "gh-zsh-completion-2.65.0-bp156.2.17.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-52308",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-52308"
}
],
"notes": [
{
"category": "general",
"text": "The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using `gh codespace ssh` or `gh codespace logs` commands. This has been patched in the cli v2.62.0.\n\nDevelopers connect to remote codespaces through an SSH server running within the devcontainer, which is generally provided through the [default devcontainer image]( https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-... https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/introduction-to-dev-containers#using-the-default-dev-container-configuration) . GitHub CLI [retrieves SSH connection details]( https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/inv... https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/invoker.go#L230-L244 ), such as remote username, which is used in [executing `ssh` commands]( https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L2... https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L263 ) for `gh codespace ssh` or `gh codespace logs` commands.\n\nThis exploit occurs when a malicious third-party devcontainer contains a modified SSH server that injects `ssh` arguments within the SSH connection details. `gh codespace ssh` and `gh codespace logs` commands could execute arbitrary code on the user\u0027s workstation if the remote username contains something like `-oProxyCommand=\"echo hacked\" #`. The `-oProxyCommand` flag causes `ssh` to execute the provided command while `#` shell comment causes any other `ssh` arguments to be ignored.\n\nIn `2.62.0`, the remote username information is being validated before being used.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.aarch64",
"SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.i586",
"SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.ppc64le",
"SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.s390x",
"SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.x86_64",
"SUSE Package Hub 15 SP6:gh-bash-completion-2.65.0-bp156.2.17.1.noarch",
"SUSE Package Hub 15 SP6:gh-fish-completion-2.65.0-bp156.2.17.1.noarch",
"SUSE Package Hub 15 SP6:gh-zsh-completion-2.65.0-bp156.2.17.1.noarch",
"openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.aarch64",
"openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.i586",
"openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.ppc64le",
"openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.s390x",
"openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.x86_64",
"openSUSE Leap 15.6:gh-bash-completion-2.65.0-bp156.2.17.1.noarch",
"openSUSE Leap 15.6:gh-fish-completion-2.65.0-bp156.2.17.1.noarch",
"openSUSE Leap 15.6:gh-zsh-completion-2.65.0-bp156.2.17.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-52308",
"url": "https://www.suse.com/security/cve/CVE-2024-52308"
},
{
"category": "external",
"summary": "SUSE Bug 1233387 for CVE-2024-52308",
"url": "https://bugzilla.suse.com/1233387"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.aarch64",
"SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.i586",
"SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.ppc64le",
"SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.s390x",
"SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.x86_64",
"SUSE Package Hub 15 SP6:gh-bash-completion-2.65.0-bp156.2.17.1.noarch",
"SUSE Package Hub 15 SP6:gh-fish-completion-2.65.0-bp156.2.17.1.noarch",
"SUSE Package Hub 15 SP6:gh-zsh-completion-2.65.0-bp156.2.17.1.noarch",
"openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.aarch64",
"openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.i586",
"openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.ppc64le",
"openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.s390x",
"openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.x86_64",
"openSUSE Leap 15.6:gh-bash-completion-2.65.0-bp156.2.17.1.noarch",
"openSUSE Leap 15.6:gh-fish-completion-2.65.0-bp156.2.17.1.noarch",
"openSUSE Leap 15.6:gh-zsh-completion-2.65.0-bp156.2.17.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.aarch64",
"SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.i586",
"SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.ppc64le",
"SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.s390x",
"SUSE Package Hub 15 SP6:gh-2.65.0-bp156.2.17.1.x86_64",
"SUSE Package Hub 15 SP6:gh-bash-completion-2.65.0-bp156.2.17.1.noarch",
"SUSE Package Hub 15 SP6:gh-fish-completion-2.65.0-bp156.2.17.1.noarch",
"SUSE Package Hub 15 SP6:gh-zsh-completion-2.65.0-bp156.2.17.1.noarch",
"openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.aarch64",
"openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.i586",
"openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.ppc64le",
"openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.s390x",
"openSUSE Leap 15.6:gh-2.65.0-bp156.2.17.1.x86_64",
"openSUSE Leap 15.6:gh-bash-completion-2.65.0-bp156.2.17.1.noarch",
"openSUSE Leap 15.6:gh-fish-completion-2.65.0-bp156.2.17.1.noarch",
"openSUSE Leap 15.6:gh-zsh-completion-2.65.0-bp156.2.17.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-01-22T10:02:08Z",
"details": "critical"
}
],
"title": "CVE-2024-52308"
}
]
}
GHSA-P2H2-3VG9-4P87
Vulnerability from github – Published: 2024-11-14 17:39 – Updated: 2024-11-19 19:37
VLAI?
Summary
Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer
Details
Summary
A security vulnerability has been identified in GitHub CLI that could allow remote code execution (RCE) when users connect to a malicious Codespace SSH server and use the gh codespace ssh or gh codespace logs commands.
Details
The vulnerability stems from the way GitHub CLI handles SSH connection details when executing commands. When developers connect to remote Codespaces, they typically use a SSH server running within a devcontainer, often provided through the default devcontainer image. GitHub CLI retrieves SSH connection details, such as remote username, which is used in executing ssh commands for gh codespace ssh or gh codespace logs commands.
This exploit occurs when a malicious third-party devcontainer contains a modified SSH server that injects ssh arguments within the SSH connection details. gh codespace ssh and gh codespace logs commands could execute arbitrary code on the user's workstation if the remote username contains something like -oProxyCommand="echo hacked" #. The -oProxyCommand flag causes ssh to execute the provided command while # shell comment causes any other ssh arguments to be ignored.
In 2.62.0, the remote username information is being validated before being used.
Impact
Successful exploitation could lead to arbitrary code execution on the user's workstation, potentially compromising the user's data and system.
Remediation and Mitigation
- Upgrade
ghto2.62.0 - Exercise caution when using custom devcontainer images, prefer default or pre-built devcontainers from trusted sources.
Severity ?
8.0 (High)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.61.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/cli/cli/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.62.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/cli/cli"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.62.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-52308"
],
"database_specific": {
"cwe_ids": [
"CWE-77"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-14T17:39:01Z",
"nvd_published_at": "2024-11-14T23:15:05Z",
"severity": "HIGH"
},
"details": "### Summary\n\nA security vulnerability has been identified in GitHub CLI that could allow remote code execution (RCE) when users connect to a malicious Codespace SSH server and use the `gh codespace ssh` or `gh codespace logs` commands.\n\n### Details\n\nThe vulnerability stems from the way GitHub CLI handles SSH connection details when executing commands. When developers connect to remote Codespaces, they typically use a SSH server running within a devcontainer, often provided through the [default devcontainer image](https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/introduction-to-dev-containers#using-the-default-dev-container-configuration). GitHub CLI [retrieves SSH connection details](https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/invoker.go#L230-L244), such as remote username, which is used in [executing `ssh` commands](https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L263) for `gh codespace ssh` or `gh codespace logs` commands.\n\nThis exploit occurs when a malicious third-party devcontainer contains a modified SSH server that injects `ssh` arguments within the SSH connection details. `gh codespace ssh` and `gh codespace logs` commands could execute arbitrary code on the user\u0027s workstation if the remote username contains something like `-oProxyCommand=\"echo hacked\" #`. The `-oProxyCommand` flag causes `ssh` to execute the provided command while `#` shell comment causes any other `ssh` arguments to be ignored.\n\nIn `2.62.0`, the remote username information is being validated before being used.\n\n### Impact\n\nSuccessful exploitation could lead to arbitrary code execution on the user\u0027s workstation, potentially compromising the user\u0027s data and system.\n\n### Remediation and Mitigation\n\n1. Upgrade `gh` to `2.62.0`\n2. Exercise caution when using custom devcontainer images, prefer default or pre-built devcontainers from trusted sources.",
"id": "GHSA-p2h2-3vg9-4p87",
"modified": "2024-11-19T19:37:12Z",
"published": "2024-11-14T17:39:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/cli/cli/security/advisories/GHSA-p2h2-3vg9-4p87"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52308"
},
{
"type": "PACKAGE",
"url": "https://github.com/cli/cli"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2024-3269"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Connecting to a malicious Codespaces via GH CLI could allow command execution on the user\u0027s computer"
}
MSRC_CVE-2024-52308
Vulnerability from csaf_microsoft - Published: 2024-11-02 00:00 - Updated: 2026-02-18 14:33Summary
Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer
Notes
Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle
Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
8.0 (High)
Vendor Fix
2.62.0-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade
https://learn.microsoft.com/en-us/azure/azure-lin…
References
| URL | Category | |
|---|---|---|
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "secure@microsoft.com",
"name": "Microsoft Security Response Center",
"namespace": "https://msrc.microsoft.com"
},
"references": [
{
"category": "self",
"summary": "CVE-2024-52308 Connecting to a malicious Codespaces via GH CLI could allow command execution on the user\u0027s computer - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2024/msrc_cve-2024-52308.json"
},
{
"category": "external",
"summary": "Microsoft Support Lifecycle",
"url": "https://support.microsoft.com/lifecycle"
},
{
"category": "external",
"summary": "Common Vulnerability Scoring System",
"url": "https://www.first.org/cvss"
}
],
"title": "Connecting to a malicious Codespaces via GH CLI could allow command execution on the user\u0027s computer",
"tracking": {
"current_release_date": "2026-02-18T14:33:35.000Z",
"generator": {
"date": "2026-02-21T01:16:03.620Z",
"engine": {
"name": "MSRC Generator",
"version": "1.0"
}
},
"id": "msrc_CVE-2024-52308",
"initial_release_date": "2024-11-02T00:00:00.000Z",
"revision_history": [
{
"date": "2024-12-13T00:00:00.000Z",
"legacy_version": "1",
"number": "1",
"summary": "Information published."
},
{
"date": "2026-02-18T14:33:35.000Z",
"legacy_version": "1.1",
"number": "2",
"summary": "Information published."
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "3.0",
"product": {
"name": "Azure Linux 3.0",
"product_id": "17084"
}
}
],
"category": "product_name",
"name": "Azure Linux"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cazl3 gh 2.62.0-1",
"product": {
"name": "\u003cazl3 gh 2.62.0-1",
"product_id": "2"
}
},
{
"category": "product_version",
"name": "azl3 gh 2.62.0-1",
"product": {
"name": "azl3 gh 2.62.0-1",
"product_id": "17563"
}
},
{
"category": "product_version_range",
"name": "\u003cazl3 gh 2.43.1-2",
"product": {
"name": "\u003cazl3 gh 2.43.1-2",
"product_id": "1"
}
},
{
"category": "product_version",
"name": "azl3 gh 2.43.1-2",
"product": {
"name": "azl3 gh 2.43.1-2",
"product_id": "19865"
}
}
],
"category": "product_name",
"name": "gh"
}
],
"category": "vendor",
"name": "Microsoft"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 gh 2.62.0-1 as a component of Azure Linux 3.0",
"product_id": "17084-2"
},
"product_reference": "2",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 gh 2.62.0-1 as a component of Azure Linux 3.0",
"product_id": "17563-17084"
},
"product_reference": "17563",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 gh 2.43.1-2 as a component of Azure Linux 3.0",
"product_id": "17084-1"
},
"product_reference": "1",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 gh 2.43.1-2 as a component of Azure Linux 3.0",
"product_id": "19865-17084"
},
"product_reference": "19865",
"relates_to_product_reference": "17084"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-52308",
"cwe": {
"id": "CWE-77",
"name": "Improper Neutralization of Special Elements used in a Command (\u0026#39;Command Injection\u0026#39;)"
},
"notes": [
{
"category": "general",
"text": "GitHub_M",
"title": "Assigning CNA"
}
],
"product_status": {
"fixed": [
"17563-17084",
"19865-17084"
],
"known_affected": [
"17084-2",
"17084-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-52308 Connecting to a malicious Codespaces via GH CLI could allow command execution on the user\u0027s computer - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2024/msrc_cve-2024-52308.json"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2024-12-13T00:00:00.000Z",
"details": "2.62.0-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17084-2",
"17084-1"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalsScore": 0.0,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"temporalScore": 8.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"17084-2",
"17084-1"
]
}
],
"title": "Connecting to a malicious Codespaces via GH CLI could allow command execution on the user\u0027s computer"
}
]
}
FKIE_CVE-2024-52308
Vulnerability from fkie_nvd - Published: 2024-11-14 23:15 - Updated: 2024-11-20 15:07
Severity ?
8.0 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Summary
The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using `gh codespace ssh` or `gh codespace logs` commands. This has been patched in the cli v2.62.0.
Developers connect to remote codespaces through an SSH server running within the devcontainer, which is generally provided through the [default devcontainer image]( https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-... https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/introduction-to-dev-containers#using-the-default-dev-container-configuration) . GitHub CLI [retrieves SSH connection details]( https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/inv... https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/invoker.go#L230-L244 ), such as remote username, which is used in [executing `ssh` commands]( https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L2... https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L263 ) for `gh codespace ssh` or `gh codespace logs` commands.
This exploit occurs when a malicious third-party devcontainer contains a modified SSH server that injects `ssh` arguments within the SSH connection details. `gh codespace ssh` and `gh codespace logs` commands could execute arbitrary code on the user's workstation if the remote username contains something like `-oProxyCommand="echo hacked" #`. The `-oProxyCommand` flag causes `ssh` to execute the provided command while `#` shell comment causes any other `ssh` arguments to be ignored.
In `2.62.0`, the remote username information is being validated before being used.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:github:cli:*:*:*:*:*:*:*:*",
"matchCriteriaId": "745C1C41-D49C-4B7F-94F5-24A44BCCCFF5",
"versionEndExcluding": "2.62.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using `gh codespace ssh` or `gh codespace logs` commands. This has been patched in the cli v2.62.0.\n\nDevelopers connect to remote codespaces through an SSH server running within the devcontainer, which is generally provided through the [default devcontainer image]( https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-... https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/introduction-to-dev-containers#using-the-default-dev-container-configuration) . GitHub CLI [retrieves SSH connection details]( https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/inv... https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/invoker.go#L230-L244 ), such as remote username, which is used in [executing `ssh` commands]( https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L2... https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L263 ) for `gh codespace ssh` or `gh codespace logs` commands.\n\nThis exploit occurs when a malicious third-party devcontainer contains a modified SSH server that injects `ssh` arguments within the SSH connection details. `gh codespace ssh` and `gh codespace logs` commands could execute arbitrary code on the user\u0027s workstation if the remote username contains something like `-oProxyCommand=\"echo hacked\" #`. The `-oProxyCommand` flag causes `ssh` to execute the provided command while `#` shell comment causes any other `ssh` arguments to be ignored.\n\nIn `2.62.0`, the remote username information is being validated before being used."
},
{
"lang": "es",
"value": "La versi\u00f3n 2.6.1 y anteriores de la CLI de GitHub son vulnerables a la ejecuci\u00f3n remota de c\u00f3digo a trav\u00e9s de un servidor SSH de codespace malicioso cuando se usan los comandos `gh codespace ssh` o `gh codespace logs`. Esto se ha corregido en la CLI v2.62.0. Los desarrolladores se conectan a codespaces remotos a trav\u00e9s de un servidor SSH que se ejecuta dentro del devcontainer, que generalmente se proporciona a trav\u00e9s de la [imagen predeterminada de devcontainer]( https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-... https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/introduction-to-dev-containers#using-the-default-dev-container-configuration) . GitHub CLI [recupera detalles de conexi\u00f3n SSH]( https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/inv... https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/invoker.go#L230-L244 ), como el nombre de usuario remoto, que se utiliza al [ejecutar comandos `ssh`]( https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L2... https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L263 ) para los comandos `gh codespace ssh` o `gh codespace logs`. Esta vulnerabilidad se produce cuando un contenedor de desarrollo malintencionado de terceros contiene un servidor SSH modificado que inyecta argumentos `ssh` dentro de los detalles de la conexi\u00f3n SSH. Los comandos `gh codespace ssh` y `gh codespace logs` podr\u00edan ejecutar c\u00f3digo arbitrario en la estaci\u00f3n de trabajo del usuario si el nombre de usuario remoto contiene algo como `-oProxyCommand=\"echo hacked\" #`. El indicador `-oProxyCommand` hace que `ssh` ejecute el comando proporcionado mientras que el comentario de shell `#` hace que se ignoren todos los dem\u00e1s argumentos de `ssh`. En `2.62.0`, la informaci\u00f3n del nombre de usuario remoto se valida antes de usarse."
}
],
"id": "CVE-2024-52308",
"lastModified": "2024-11-20T15:07:43.127",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-11-14T23:15:05.727",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/cli/cli/security/advisories/GHSA-p2h2-3vg9-4p87"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Loading…
Show additional events:
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…