SB2026020478 - Ubuntu update for gh 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026020478

SB2026020478 - Ubuntu update for gh

Published: February 4, 2026

Security Bulletin ID SB2026020478
Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Path traversal (CVE-ID: CVE-2024-54132)

The vulnerability allows a remote attacker to overwrite arbitrary files on the system.

The vulnerability exists due to input validation error when processing directory traversal sequences within the "gh run download" command when downloading GitHub Actions workflow artifact. A remote attacker can trick the victim into downloading a specially crafted GitHub Actions workflow artifact and overwrite arbitrary files on the system, leading to potential remote code execution.


2) Information disclosure (CVE-ID: CVE-2024-53858)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the application can leak authentication tokens when cloning repositories containing git submodules hosted outside of GitHub.com and ghe.com. A remote attacker can trick the victim into cloning a specially crafted repository and obtain victim's authentication tokens. 


Remediation

Install update from vendor's website.

References