ubuntu-cve-2024-52308
Vulnerability from osv_ubuntu
Published
2024-11-14 23:15
Modified
2026-02-04 05:14
Summary
Details

The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using gh codespace ssh or gh codespace logs commands. This has been patched in the cli v2.62.0. Developers connect to remote codespaces through an SSH server running within the devcontainer, which is generally provided through the default devcontainer image . GitHub CLI retrieves SSH connection details, such as remote username, which is used in executing ssh commands for gh codespace ssh or gh codespace logs commands. This exploit occurs when a malicious third-party devcontainer contains a modified SSH server that injects ssh arguments within the SSH connection details. gh codespace ssh and gh codespace logs commands could execute arbitrary code on the user's workstation if the remote username contains something like -oProxyCommand="echo hacked" #. The -oProxyCommand flag causes ssh to execute the provided command while # shell comment causes any other ssh arguments to be ignored. In 2.62.0, the remote username information is being validated before being used.


{
  "affected": [
    {
      "ecosystem_specific": {
        "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
        "binaries": [
          {
            "binary_name": "gh",
            "binary_version": "2.45.0-1ubuntu0.2+esm1"
          }
        ],
        "priority_reason": "code execution"
      },
      "package": {
        "ecosystem": "Ubuntu:Pro:24.04:LTS",
        "name": "gh",
        "purl": "pkg:deb/ubuntu/gh@2.45.0-1ubuntu0.2+esm1?arch=source\u0026distro=esm-apps/noble"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.45.0-1ubuntu0.2+esm1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.27.0+dfsg1-1build1",
        "2.30.0-2",
        "2.35.0-1",
        "2.40.1+dfsg1-1",
        "2.42.1-1",
        "2.43.1-1",
        "2.44.1-1",
        "2.44.1-2",
        "2.45.0-1",
        "2.45.0-1build1",
        "2.45.0-1ubuntu0.1",
        "2.45.0-1ubuntu0.2"
      ]
    }
  ],
  "aliases": [],
  "details": "The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using `gh codespace ssh` or `gh codespace logs` commands. This has been patched in the cli v2.62.0. Developers connect to remote codespaces through an SSH server running within the devcontainer, which is generally provided through the [default devcontainer image]( https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-... https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/introduction-to-dev-containers#using-the-default-dev-container-configuration) . GitHub CLI [retrieves SSH connection details]( https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/inv... https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/invoker.go#L230-L244 ), such as remote username, which is used in [executing `ssh` commands]( https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L2... https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L263 ) for `gh codespace ssh` or `gh codespace logs` commands. This exploit occurs when a malicious third-party devcontainer contains a modified SSH server that injects `ssh` arguments within the SSH connection details. `gh codespace ssh` and `gh codespace logs` commands could execute arbitrary code on the user\u0027s workstation if the remote username contains something like `-oProxyCommand=\"echo hacked\" #`.  The `-oProxyCommand` flag causes `ssh` to execute the provided command while `#` shell comment causes any other `ssh` arguments to be ignored. In `2.62.0`, the remote username information is being validated before being used.",
  "id": "UBUNTU-CVE-2024-52308",
  "modified": "2026-02-04T05:14:52Z",
  "published": "2024-11-14T23:15:00Z",
  "references": [
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2024-52308"
    },
    {
      "type": "REPORT",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-52308"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/cli/cli/security/advisories/GHSA-p2h2-3vg9-4p87"
    },
    {
      "type": "ADVISORY",
      "url": "https://ubuntu.com/security/notices/USN-7130-1"
    }
  ],
  "related": [
    "USN-7130-1"
  ],
  "schema_version": "1.7.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "high",
      "type": "Ubuntu"
    }
  ],
  "upstream": [
    "CVE-2024-52308"
  ]
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…