| id: GO-2024-3295 |
| modules: |
| - module: github.com/cli/go-gh |
| - module: github.com/cli/go-gh/v2 |
| versions: |
| - fixed: 2.11.1 |
| vulnerable_at: 2.11.0 |
| packages: |
| - package: github.com/cli/go-gh/v2/pkg/auth |
| symbols: |
| - tokenForHost |
| - TokenForHost |
| summary: |- |
| Violation of GitHub host security boundary when sourcing |
| authentication token within a codespace in github.com/cli/go-gh |
| cves: |
| - CVE-2024-53859 |
| ghsas: |
| - GHSA-55v3-xh23-96gh |
| references: |
| - advisory: https://github.com/cli/go-gh/security/advisories/GHSA-55v3-xh23-96gh |
| - web: https://docs.github.com/en/apps/using-github-apps/reviewing-and-revoking-authorization-of-github-apps#reviewing-your-authorized-github-apps |
| - web: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/reviewing-your-security-log |
| - web: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token |
| - web: https://docs.github.com/en/enterprise-cloud@latest/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens |
| - web: https://github.com/cli/go-gh/blob/71770357e0cb12867d3e3e288854c0aa09d440b7/pkg/auth/auth.go#L73-L77 |
| source: |
| id: GHSA-55v3-xh23-96gh |
| created: 2024-12-11T16:32:41.665676-05:00 |
| review_status: REVIEWED |
