x/vulndb: potential Go vuln in github.com/cli/cli/v2: GHSA-p2h2-3vg9-4p87

[GoVulnBot]

Advisory GHSA-p2h2-3vg9-4p87 references a vulnerability in the following Go modules:

Module
github.com/cli/cli
github.com/cli/cli/v2

Description:

Summary

A security vulnerability has been identified in GitHub CLI that could allow remote code execution (RCE) when users connect to a malicious Codespace SSH server and use the gh codespace ssh or gh codespace logs commands.

Details

The vulnerability stems from the way GitHub CLI handles SSH connection details when executing commands. When developers connect to remote Codespaces, they typically use a SSH server running within a devcontainer, often provided through the [default devcontainer image](https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/addi...

References:

• ADVISORY: GHSA-p2h2-3vg9-4p87
• ADVISORY: GHSA-p2h2-3vg9-4p87

Cross references:

• github.com/cli/cli appears in 1 other report(s):
  • data/reports/GO-2022-0395.yaml (x/vulndb: potential Go vuln in github.com/cli/cli: GHSA-fqfh-778m-2v32 #395)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/cli/cli
      non_go_versions:
        - introduced: TODO (earliest fixed "2.62.0", vuln range "<= 2.61.0")
      vulnerable_at: 1.14.0
    - module: github.com/cli/cli/v2
      vulnerable_at: 2.62.0
summary: |-
    Connecting to a malicious Codespaces via GH CLI could allow command execution on
    the user's computer in github.com/cli/cli
cves:
    - CVE-2024-52308
ghsas:
    - GHSA-p2h2-3vg9-4p87
references:
    - advisory: https://github.com/advisories/GHSA-p2h2-3vg9-4p87
    - advisory: https://github.com/cli/cli/security/advisories/GHSA-p2h2-3vg9-4p87
source:
    id: GHSA-p2h2-3vg9-4p87
    created: 2024-11-14T18:01:28.72790509Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/629356 mentions this issue: data/reports: add 9 unreviewed reports