CVE-2024-53859 is a security vulnerability discovered in the go-gh module, which is widely used for interacting with the gh utility and the GitHub API from the command line. This vulnerability could lead to authentication tokens being leaked to non-GitHub hosts when using codespaces, potentially causing security risks for users and their repositories.
Vulnerability Details
In the go-gh module, authentication tokens are sourced from different environment variables depending on the host involved:
GITHUB_ENTERPRISE_TOKEN, GH_ENTERPRISE_TOKEN for GitHub Enterprise Server
However, prior to version 2.11.1, the auth.TokenForHost function could source a token from the GITHUB_TOKEN environment variable for a host other than GitHub.com or ghe.com when within a codespace, leading to the leakage of authentication tokens to unintended hosts.
Here is a code snippet demonstrating the vulnerability (pre-2.11.1)
func TokenForHost(cfg config.Config, host string) (string, error) {
if host != cfg.DefaultHostname() {
if token, _ := cfg.Get(host, "oauth_token"); token != "" {
return token, nil
}
}
token, _ := oauthTokenFromEnv() // This call is problematic
if token != "" {
return token, nil
}
return cfg.Get(cfg.DefaultHostname(), "oauth_token")
}
In version 2.11.1, the auth.TokenForHost function has been updated to only source a token from the GITHUB_TOKEN environment variable for GitHub.com or ghe.com hosts, effectively fixing the vulnerability. Here's the code snippet demonstrating the fix:
func TokenForHost(cfg config.Config, host string) (string, error) {
var token string
if host == "github.com" || host == "api.github.com" {
token, _ = os.LookupEnv("GITHUB_TOKEN")
} else {
token, _ = cfg.Get(host, "oauth_token")
}
if token == "" {
token, _ = os.LookupEnv("GH_TOKEN")
}
return token, nil
}
Exploit Details
Successful exploitation of this vulnerability could lead to an attacker gaining access to a user's authentication token, which they could then use to perform malicious activities on the user's behalf, such as modifying repositories, accessing private data, or making unauthorized actions on an enterprise level.
Mitigation
The vulnerability has been addressed in version 2.11.1 of the go-gh module. Users are strongly advised to upgrade their module to this version or later.
For more information and original references
- Go-gh GitHub Repository
- Go-gh 2.11.1 Release Notes
- GitHub Security Advisory for CVE-2024-53859
Timeline
Published on: 11/27/2024 22:15:05 UTC