GitHub CLI Vulnerability Leaks Authentication Tokens (CVE-TBD) (Critical)

2024-11-28

Platform: GitHub CLI
Version: Prior to 2.63.0
Vulnerability: Token Leak
Severity: Critical
Date: Not specified

What Undercode Says:

This critical vulnerability in GitHub CLI could expose your authentication tokens to attackers when cloning repositories containing submodules hosted outside of GitHub.com and ghe.com.

Here’s a breakdown of the issue:

Vulnerable commands: `gh repo clone`, `gh repo fork`, `gh pr checkout`
Cause: These commands trigger `git` to retrieve tokens using the `credential.helper` for any encountered host.

Affected versions: Prior to 2.63.0

Impact: Leaked tokens allow attackers to access your privileged resources on external submodule hosts.

Fix:

Upgrade GitHub CLI to version 2.63.0 or later.

Revoke any tokens used with the CLI.

Review security logs for suspicious activity.

Remember: Keep your software updated and be cautious when using external submodules.

References:

Reported By: Github.com
Undercode AI: https://ai.undercodetesting.com

Image Source:

OpenAI: https://openai.com
Undercode AI DI v2: https://ai.undercode.helpFeatured Image

Scroll to Top