2024-11-28
This article describes a moderate severity vulnerability in the go-gh library (version prior to 2.11.1).
:
– The `auth.TokenForHost` function in go-gh could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when used within a codespace environment.
– This happened because the function could incorrectly source a token from the `GITHUB_TOKEN` environment variable even for [invalid URL removed] or ghe.com hosts.
– A successful exploit could potentially send a
Platform: go-gh
Version: Prior to 2.11.1
Vulnerability: Improper Token Handling
Severity: Moderate
Date: November 27, 2024
What Undercode Says:
This vulnerability highlights the importance of proper access control and environment variable management within codespaces. It’s recommended to upgrade to go-gh version 2.11.1 or later which addresses this issue.
References:
Reported By: Github.com
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://openai.com
Undercode AI DI v2: https://ai.undercode.help