Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2024-52308

Опубликовано: 14 нояб. 2024
Источник: nvd
CVSS3: 8
CVSS3: 9.6
EPSS Низкий

Описание

The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using gh codespace ssh or gh codespace logs commands. This has been patched in the cli v2.62.0.

Developers connect to remote codespaces through an SSH server running within the devcontainer, which is generally provided through the [default devcontainer image]( https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-... https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/introduction-to-dev-containers#using-the-default-dev-container-configuration) . GitHub CLI [retrieves SSH connection details]( https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/inv... https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/invoker.go#L230-L244 ), such as remote username, which is use

Ссылки

Уязвимые конфигурации

Конфигурация 1
cpe:2.3:a:github:cli:*:*:*:*:*:*:*:*
Версия до 2.62.0 (исключая)

EPSS

Процентиль: 90%
0.05956
Низкий

8 High

CVSS3

9.6 Critical

CVSS3

Дефекты

CWE-77

Связанные уязвимости

ubuntu логотип

CVE-2024-52308

CVSS3: 8
ubuntu
около 1 года назад

The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using `gh codespace ssh` or `gh codespace logs` commands. This has been patched in the cli v2.62.0. Developers connect to remote codespaces through an SSH server running within the devcontainer, which is generally provided through the [default devcontainer image]( https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-... https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/introduction-to-dev-containers#using-the-default-dev-container-configuration) . GitHub CLI [retrieves SSH connection details]( https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/inv... https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/invoker.go#L230-L244 ), such as remote username, which is u...

msrc логотип

CVE-2024-52308

CVSS3: 9.6
msrc
около 1 года назад

Описание отсутствует

debian логотип

CVE-2024-52308

CVSS3: 8
debian
около 1 года назад

The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code ...

suse-cvrf логотип

openSUSE-SU-2025:0021-1

suse-cvrf
около 1 года назад

Security update for gh

github логотип

GHSA-p2h2-3vg9-4p87

CVSS3: 8
github
около 1 года назад

Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer

EPSS

Процентиль: 90%
0.05956
Низкий

8 High

CVSS3

9.6 Critical

CVSS3

Дефекты

CWE-77