Skip to content

Arbitrary File Overwrite in CodeQL versions less than 2.18.1

High
cklin published GHSA-x4gx-f2xv-6wj9 Jul 25, 2024

Package

No package listed

Affected versions

< 2.18.1

Patched versions

2.18.1

Description

Summary

CodeQL versions before 2.18.1 have a dependency on Eclipse JGit versions 4.7.9.201904161809 and earlier, and so are vulnerable to CVE-2023-4759 in specific scenarios.
CodeQL 2.18.1 fixes the vulnerability by upgrading its dependency to Eclipse JGit version 6.10.0.202406032230, which contains a fix for CVE-2023-4759.

Impact

If a CodeQL database is created using a code scanning configuration that specifies the use of custom queries from an untrusted repository (docs), and the machine where the database is used has a case-insensitive filesystem, the Git checkout of the specified custom query repository could override arbitrary local files on the filesystem.

This doesn't affect users of the CodeQL extension for VS Code or users who don't specify custom queries in their code scanning configurations.

Patches

The problem is fixed in release 2.18.1 of the CLI.

Users creating databases manually should update to the latest version of the CLI.

Update process:

  • Customers using the default settings for code scanning on GitHub.com do not need to take any action to upgrade to this version.
  • Customers using a specific tools version in code scanning advanced setup workflows on GitHub.com may optionally choose to update this tools URL, or remove the field to use the latest version of CodeQL by default.
  • Customers on GitHub Enterprise Server may optionally choose to upgrade the version of CodeQL used in their code scanning Actions workflows using GitHub Connect or the CodeQL Action Sync Tool - see this documentation for more information.
  • Customers using the CodeQL CLI in a third-party CI system may optionally choose to update to the latest version of CodeQL.

Workarounds

  • When specifying custom queries, instead of using a repository reference within a configuration file, clone the custom query repository manually and use a local path to this clone in the configuration.
  • Disable symbolic links on the local filesystem.

References

Severity

High

CVE ID

CVE-2023-4759