We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-53859

go-gh `auth.TokenForHost` violates GitHub host security boundary within a codespace



Description

go-gh is a Go module for interacting with the `gh` utility and the GitHub API from the command line. A security vulnerability has been identified in `go-gh` that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace. `go-gh` sources authentication tokens from different environment variables depending on the host involved: 1. `GITHUB_TOKEN`, `GH_TOKEN` for GitHub.com and ghe.com and 2. `GITHUB_ENTERPRISE_TOKEN`, `GH_ENTERPRISE_TOKEN` for GitHub Enterprise Server. Prior to version `2.11.1`, `auth.TokenForHost` could source a token from the `GITHUB_TOKEN` environment variable for a host other than GitHub.com or ghe.com when within a codespace. In version `2.11.1`, `auth.TokenForHost` will only source a token from the `GITHUB_TOKEN` environment variable for GitHub.com or ghe.com hosts. Successful exploitation could send authentication token to an unintended host. This issue has been addressed in version 2.11.1 and all users are advised to upgrade. Users are also advised to regenerate authentication tokens and to review their personal security log and any relevant audit logs for actions associated with their account or enterprise.

Reserved 2024-11-22 | Published 2024-11-27 | Updated 2024-12-03 | Assigner GitHub_M


MEDIUM: 6.5CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L

Problem types

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Product status

< 2.11.1
affected

References

github.com/cli/go-gh/security/advisories/GHSA-55v3-xh23-96gh

docs.github.com/...and-revoking-authorization-of-github-apps

docs.github.com/...d-data-secure/reviewing-your-security-log

docs.github.com/...t-log-events-performed-by-an-access-token

docs.github.com/...cure/managing-your-personal-access-tokens

github.com/...b12867d3e3e288854c0aa09d440b7/pkg/auth/auth.go

cve.org (CVE-2024-53859)

nvd.nist.gov (CVE-2024-53859)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-53859

Support options

Helpdesk Chat, Email, Knowledgebase
Subscribe to our newsletter to learn more about our work.