#VU100996 Input validation error in GitHub CLI - CVE-2024-52308

Cybersecurity Help s.r.o.

Published: 2024-11-27

Vulnerability identifier: #VU100996

Vulnerability risk: High

CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2024-52308

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
GitHub CLI
Universal components / Libraries / Software for developers

Vendor: GitHub CLI

Description

The vulnerability allows a remote user to compromise the affected system.

The vulnerability exists due to the way GitHub CLI handles SSH connection details when executing commands. A remote user can supply a specially crafted devcontainer that can inject and execute arbitrary commands on the system with elevated privileges.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

GitHub CLI: 0.4.0 - 2.61.0

External links
https://github.com/cli/cli/security/advisories/GHSA-p2h2-3vg9-4p87

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Ubuntu update for gh

Remote code execution in GitHub CLI