CVE-2024-54132: Critical GitHub CLI Vulnerability Potentially Causing Unintended File Creation or Overwriting

Date: 2024-05-11
Author: Cyber Security Analyst

Introduction

The GitHub CLI (Command Line Interface) is GitHub’s official tool that allows developers to manage their repositories and tasks directly from their command lines. Recently, a security vulnerability in GitHub CLI (CVE-2024-54132) was identified, which could lead to the unintentional creation or overwriting of files in unintended directories when users download a malicious GitHub Actions workflow artifact using the gh run download command.

Exploit Details

The CVE-2024-54132 vulnerability stems from a GitHub Actions workflow artifact having a deceptive name- ... This causes the GitHub CLI to extract the files within the artifact to a directory higher than specified by the --dir flag. This in turn creates or overwrites files in unintended directories.

When the user downloads the artifact using the gh run download command like-

gh run download --name ".." --dir ~/Downloads

3. The CLI interprets the .. as a directive to extract the files one directory higher than the specified path, causing the files to be extracted in its parent directory.
4. The attacker's malicious files are now present in an unintended directory, which may lead to potential data exposure, manipulations, or unauthorized access.

- Original Reference: GitHub CLI Security Advisory

Mitigation

The vulnerability (CVE-2024-54132) has been addressed and fixed in the GitHub CLI version 2.63.1. It is strongly recommended that users and developers update their CLI tool to avoid any potential misuse of the exploit.

To update the GitHub CLI to the latest version, use the following instructions depending on your operating system:

Linux: sudo apt update (then) sudo apt upgrade gh

Alternatively, you can also download the latest GitHub CLI release (v2.63.1) from: GitHub CLI Releases

Conclusion

The recent discovery of CVE-2024-54132 highlights the importance of maintaining up-to-date software and regularly patching known vulnerabilities to ensure the protection of sensitive data and systems. By updating the GitHub CLI to the latest version, developers can safeguard their workflows and repositories from the unintended creation or overwriting of files caused by this vulnerability. Remember to always stay vigilant and keep an eye out for updates from trusted sources.

Timeline

Published on: 12/04/2024 16:15:26 UTC