go-gh Vulnerability: Improper Token Handling (CVE-TBD) (Moderate)

2024-11-28

This article describes a moderate severity vulnerability in the go-gh library (version prior to 2.11.1).

:

– The `auth.TokenForHost` function in go-gh could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when used within a codespace environment.
– This happened because the function could incorrectly source a token from the `GITHUB_TOKEN` environment variable even for [invalid URL removed] or ghe.com hosts.

– A successful exploit could potentially send a

Platform: go-gh
Version: Prior to 2.11.1
Vulnerability: Improper Token Handling
Severity: Moderate
Date: November 27, 2024

What Undercode Says:

This vulnerability highlights the importance of proper access control and environment variable management within codespaces. It’s recommended to upgrade to go-gh version 2.11.1 or later which addresses this issue.

References:

Reported By: Github.com
Undercode AI: https://ai.undercodetesting.com

Image Source:

OpenAI: https://openai.com
Undercode AI DI v2: https://ai.undercode.helpFeatured Image

Scroll to Top