2024-11-28
Platform: GitHub CLI
Version: Prior to 2.63.0
Vulnerability: Token Leak
Severity: Critical
Date: Not specified
What Undercode Says:
This critical vulnerability in GitHub CLI could expose your authentication tokens to attackers when cloning repositories containing submodules hosted outside of GitHub.com and ghe.com.
Here’s a breakdown of the issue:
Vulnerable commands: `gh repo clone`, `gh repo fork`, `gh pr checkout`
Cause: These commands trigger `git` to retrieve tokens using the `credential.helper` for any encountered host.
Affected versions: Prior to 2.63.0
Impact: Leaked tokens allow attackers to access your privileged resources on external submodule hosts.
Fix:
Upgrade GitHub CLI to version 2.63.0 or later.
Revoke any tokens used with the CLI.
Review security logs for suspicious activity.
Remember: Keep your software updated and be cautious when using external submodules.
References:
Reported By: Github.com
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://openai.com
Undercode AI DI v2: https://ai.undercode.help