[GHSA-p2h2-3vg9-4p87] Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer

github / advisory-database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Creative Commons Attribution 4.0 International

1.75k stars 336 forks source link

[GHSA-p2h2-3vg9-4p87] Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer #5027

Closed dernorberto closed 3 days ago

dernorberto commented 1 week ago

Updates

Description

Comments Hi there! The CPE for this vulnerability is cpe:2.3:a:github:cli:*:*:*:*:*:*:*:*, but the application is called gh. CVE/software-matching tools (e.g. FleetDM) will find the gh app but won't assign this CVE. As a CNA, you could you update the CPE to include cpe:2.3:a:github:gh:*:*:*:*:*:*:*:*.

github commented 1 week ago

Hi there @andyfeller! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

darakian commented 1 week ago

Hey @dernorberto, that cpe string looks like it was added by nvd and not by us https://nvd.nist.gov/vuln/detail/CVE-2024-52308#VulnChangeHistorySection You'll need to reach out to them to adjust it.

dernorberto commented 4 days ago

Thanks for the response. I have reached out to NVD to update the CPE.

darakian commented 3 days ago

No problem. Gonna close this out since, but let us know if there's anything else we can do for you 👍