Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/cli/cli/v2: GHSA-2m9h-r57g-45pj #3310

Closed
GoVulnBot opened this issue Dec 4, 2024 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/cli/cli/v2: GHSA-2m9h-r57g-45pj #3310

GoVulnBot opened this issue Dec 4, 2024 · 1 comment
Labels
triaged

Comments

@GoVulnBot
Copy link

Advisory GHSA-2m9h-r57g-45pj references a vulnerability in the following Go modules:

Module
github.com/cli/cli
github.com/cli/cli/v2

Description:

Summary

A security vulnerability has been identified in GitHub CLI that could create or overwrite files in unintended directories when users download a malicious GitHub Actions workflow artifact through gh run download.

Details

This vulnerability stems from a GitHub Actions workflow artifact named .. when downloaded using gh run download. The artifact name and --dir flag are used to determine the artifact’s download path. When the artifact is named .., the resulting files within the artifact are extracted exactly 1 directory higher than the specified --dir flag valu...

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/cli/cli
      vulnerable_at: 1.14.0
    - module: github.com/cli/cli/v2
      versions:
        - fixed: 2.63.1
      vulnerable_at: 2.63.0
summary: |-
    Downloading malicious GitHub Actions workflow artifact results in path traversal
    vulnerability in github.com/cli/cli
cves:
    - CVE-2024-54132
ghsas:
    - GHSA-2m9h-r57g-45pj
references:
    - advisory: https://github.com/advisories/GHSA-2m9h-r57g-45pj
    - advisory: https://github.com/cli/cli/security/advisories/GHSA-2m9h-r57g-45pj
    - fix: https://github.com/cli/cli/commit/1136764c369aaf0cae4ec2ee09dc35d871076932
source:
    id: GHSA-2m9h-r57g-45pj
    created: 2024-12-04T16:01:38.762410731Z
review_status: UNREVIEWED
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/633598 mentions this issue: data/reports: add 6 unreviewed reports

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tatianab @gopherbot @GoVulnBot