CVE-2024-52308Command Injection in CLI CLI

CWE-77Command Injection9 documents6 sources
Severity
9.6CRITICALNVD
EPSS
6.2%
top 9.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
9
Github.com CLI CLIGithub.com CLI CLI V2Github CLI+6 more
Timeline
PublishedNov 14
Latest updateNov 26

Description

The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using `gh codespace ssh` or `gh codespace logs` commands. This has been patched in the cli v2.62.0. Developers connect to remote codespaces through an SSH server running within the devcontainer, which is generally provided through the [default devcontainer image]( https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-... htt

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HExploitability: 2.8 | Impact: 6.0

Affected Packages9 packages

NVDgithub/cli< 2.62.0
Gogithub.com/cli_cli< 2.62.0
debiandebian/gh< gh 2.46.0-2 (sid)
CVEListV5cli/cli2.61.0

🔴Vulnerability Details

5
OSV
gh vulnerability2024-11-26
OSV
Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer in github.com/cli/cli2024-11-19
OSV
Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer2024-11-14
OSV
CVE-2024-52308: The GitHub CLI version 22024-11-14
GHSA
Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer2024-11-14

📋Vendor Advisories

3
Ubuntu
GitHub CLI vulnerability2024-11-26
Microsoft
Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer2024-11-12
Debian
CVE-2024-52308: gh - The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution...2024
CVE-2024-52308 — Command Injection in CLI CLI | cvebase