Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

ubuntu логотип

CVE-2025-25204

Опубликовано: 14 фев. 2025
Источник: ubuntu
Приоритет: medium
EPSS Низкий
CVSS3: 6.3

Описание

gh is GitHub’s official command line tool. Starting in version 2.49.0 and prior to version 2.67.0, under certain conditions, a bug in GitHub's Artifact Attestation cli tool gh attestation verify causes it to return a zero exit status when no attestations are present. This behavior is incorrect: When no attestations are present, gh attestation verify should return a non-zero exit status code, thereby signaling verification failure. An attacker can abuse this flaw to, for example, deploy malicious artifacts in any system that uses gh attestation verify's exit codes to gatekeep deployments. Users are advised to update gh to patched version v2.67.0 as soon as possible.

РелизСтатусПримечание
devel

not-affected

2.46.0-4
esm-apps/jammy

not-affected

2.4.0+dfsg1-2
esm-apps/noble

not-affected

2.45.0-1ubuntu0.3
esm-infra/focal

DNE

focal

DNE

jammy

not-affected

2.4.0+dfsg1-2
noble

not-affected

2.45.0-1ubuntu0.3
oracular

ignored

end of life, was needs-triage
plucky

ignored

end of life, was needs-triage
questing

not-affected

2.46.0-3

Показывать по

Ссылки на источники

EPSS

Процентиль: 44%
0.00213
Низкий

6.3 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2025-25204

CVSS3: 6.3
nvd
около 1 года назад

`gh` is GitHub’s official command line tool. Starting in version 2.49.0 and prior to version 2.67.0, under certain conditions, a bug in GitHub's Artifact Attestation cli tool `gh attestation verify` causes it to return a zero exit status when no attestations are present. This behavior is incorrect: When no attestations are present, `gh attestation verify` should return a non-zero exit status code, thereby signaling verification failure. An attacker can abuse this flaw to, for example, deploy malicious artifacts in any system that uses `gh attestation verify`'s exit codes to gatekeep deployments. Users are advised to update `gh` to patched version `v2.67.0` as soon as possible.

msrc логотип

CVE-2025-25204

CVSS3: 6.3
msrc
около 1 года назад

`gh attestation verify` returns incorrect exit code during verification if no attestations are present

debian логотип

CVE-2025-25204

CVSS3: 6.3
debian
около 1 года назад

`gh` is GitHub\u2019s official command line tool. Starting in version ...

github логотип

GHSA-fgw4-v983-mgp8

CVSS3: 6.3
github
около 1 года назад

`gh attestation verify` returns incorrect exit code during verification if no attestations are present

EPSS

Процентиль: 44%
0.00213
Низкий

6.3 Medium

CVSS3