Source: gh X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for gh. CVE-2024-53858[0]: | The gh cli is GitHub’s official command line tool. A security | vulnerability has been identified in the GitHub CLI that could leak | authentication tokens when cloning repositories containing `git` | submodules hosted outside of GitHub.com and ghe.com. This | vulnerability stems from several `gh` commands used to clone a | repository with submodules from a non-GitHub host including `gh repo | clone`, `gh repo fork`, and `gh pr checkout`. These GitHub CLI | commands invoke git with instructions to retrieve authentication | tokens using the `credential.helper` configuration variable for any | host encountered. Prior to version `2.63.0`, hosts other than | GitHub.com and ghe.com are treated as GitHub Enterprise Server hosts | and have tokens sourced from the following environment variables | before falling back to host-specific tokens stored within system- | specific secured storage: 1. `GITHUB_ENTERPRISE_TOKEN`, 2. | `GH_ENTERPRISE_TOKEN` and 3. `GITHUB_TOKEN` when the `CODESPACES` | environment variable is set. The result being `git` sending | authentication tokens when cloning submodules. In version `2.63.0`, | these GitHub CLI commands will limit the hosts for which `gh` acts | as a credential helper to source authentication tokens. | Additionally, `GITHUB_TOKEN` will only be used for GitHub.com and | ghe.com. Users are advised to upgrade. Additionally users are | advised to revoke authentication tokens used with the GitHub CLI and | to review their personal security log and any relevant audit logs | for actions associated with their account or enterprise https://github.com/cli/cli/security/advisories/GHSA-jwcm-9g39-pmcw If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-53858 https://www.cve.org/CVERecord?id=CVE-2024-53858 Please adjust the affected versions in the BTS as needed.
