CVE-2024-54132
Description
The GitHub CLI is GitHub’s official command line tool. A security vulnerability has been identified in GitHub CLI that could create or overwrite files in unintended directories when users download a malicious GitHub Actions workflow artifact through gh run download. This vulnerability stems from a GitHub Actions workflow artifact named .. when downloaded using gh run download. The artifact name and --dir flag are used to determine the artifact’s download path. When the artifact is named .., the resulting files within the artifact are extracted exactly 1 directory higher than the specified --dir flag value. This vulnerability is fixed in 2.63.1.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2024-54132.html
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2024-54132
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | affected | |
| debian | sid | fixed | 2.46.0-3 |
| debian | trixie | fixed | 2.46.0-3 |
| sles | affected | |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Go | github.com/cli/cli/v2 | <2.63.1 | 2.63.1 |
| Go | github.com/cli/cli | <=1.14.0 | |
| Go | github.com/cli/cli | | |
References
- https://github.com/cli/cli/security/advisories/GHSA-2m9h-r57g-45pj
- https://nvd.nist.gov/vuln/detail/CVE-2024-54132
- https://github.com/cli/cli/commit/1136764c369aaf0cae4ec2ee09dc35d871076932
- https://github.com/cli/cli
- https://security-tracker.debian.org/tracker/CVE-2024-54132
- https://www.suse.com/security/cve/CVE-2024-54132.html
Verify integrity in audit chain (admin only). AS-IS.