Path traversal in GitHub CLI - CVE-2024-54132
Published: December 19, 2024
Vulnerability identifier: #VU101844
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-54132
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: GitHub CLI
Affected software:
GitHub CLI
GitHub CLI
Detailed vulnerability description
The vulnerability allows a remote attacker to overwrite arbitrary files on the system.
The vulnerability exists due to input validation error when processing directory traversal sequences within the "gh run download" command when downloading GitHub Actions workflow artifact. A remote attacker can trick the victim into downloading a specially crafted GitHub Actions workflow artifact and overwrite arbitrary files on the system, leading to potential remote code execution.
How to mitigate CVE-2024-54132
Install update from vendor's website.