GitHub CLI (go-gh), Command Injection, CVE-2023-XXXX (Critical)

By /

Listen to this Post

How the CVE Works

The vulnerability (CVE-2023-XXXX) in go-gh (GitHub CLI) allows an attacker-controlled GitHub Enterprise Server to manipulate API responses, replacing legitimate HTTP URLs with malicious local file paths. When a user executes commands like `gh repo view -w` or gh codespace, the `Browser.Browse()` function processes these URLs.
Before v2.12.1, `Browser.Browse()` did not validate URL schemes, permitting execution of local files or binaries if an attacker injected paths like `/usr/bin/malicious` instead of https://github.com`. This could lead to arbitrary command execution under the user’s privileges.
<h2 style="color: blue;">The patched version (v2.12.1) enforces strict URL validation:</h2>
- Allowed schemes: `http://`, `https://`, vscode://, `vscode-insiders://`
- Blocked schemes: `file://`
- Blocked paths: Local files, directories, and executables in `$PATH`
<h2 style="color: blue;">DailyCVE Form</h2>
Platform: GitHub CLI (go-gh)
Version: < 2.12.1
Vulnerability: Command Injection
Severity: Critical
Date: 2023-XX-XX
<h2 style="color: blue;">Prediction: Patch expected by 2023-XX-XX</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
<h2 style="color: blue;">Exploitation Analysis</h2>
<h2 style="color: blue;">1. Attack Vector:</h2>
- Attacker modifies GitHub Enterprise Server API responses.
- Replaceshttps://` URLs with `file://` or direct executable paths.

2. Exploit Example:

Malicious API response triggers local binary execution
gh repo view -w /usr/bin/evil_script

3. Impact:

  • Remote code execution (RCE) as the logged-in user.

Protection & Mitigation

1. Update Immediately:

gh extension upgrade

2. Manual Patch Check:

gh --version | grep "2.12.1"

3. Network-Level Mitigation:

Restrict GitHub CLI to trusted domains
firewall-cmd --add-rich-rule='rule family="ipv4" source not ip="192.0.2.0/24" drop'

4. Code-Level Fix (Go):

// Validate URL scheme before processing
func validateURL(url string) error {
allowed := []string{"http", "https", "vscode"}
u, err := url.Parse(url)
if err != nil { return err }
for _, scheme := range allowed {
if u.Scheme == scheme { return nil }
}
return errors.New("unsupported URL scheme")
}

5. Log Monitoring:

Audit CLI command executions
journalctl -u gh --since "1 hour ago" | grep -i "browser"

6. User Awareness:

  • Avoid `gh` commands on untrusted GitHub Enterprise instances.

7. Alternative Workaround:

Disable browser auto-opening
alias gh='gh --web=false'

8. Enterprise Mitigation:

  • Enforce API response signing on GitHub Enterprise.

9. Exploit Detection:

Check for suspicious URL calls
strace -e open,execve gh repo view -w 2>&1 | grep -E "file:|/usr/bin"

10. Post-Exploit Actions:

  • Revoke compromised GitHub tokens: 
    gh auth logout

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

Join Our Cyber World:

πŸ’¬ Whatsapp | πŸ’¬ TelegramFeatured Image

Scroll to Top