#VU101844 Path traversal in GitHub CLI - CVE-2024-54132
Published: December 19, 2024
Vulnerability identifier: #VU101844
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-54132
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
GitHub CLI
GitHub CLI
Software vendor:
GitHub CLI
GitHub CLI
Description
The vulnerability allows a remote attacker to overwrite arbitrary files on the system.
The vulnerability exists due to input validation error when processing directory traversal sequences within the "gh run download" command when downloading GitHub Actions workflow artifact. A remote attacker can trick the victim into downloading a specially crafted GitHub Actions workflow artifact and overwrite arbitrary files on the system, leading to potential remote code execution.
Remediation
Install update from vendor's website.