x/vulndb: potential Go vuln in github.com/cli/cli: CVE-2024-53858

[GoVulnBot]

Advisory CVE-2024-53858 references a vulnerability in the following Go modules:

Module
github.com/cli/cli

Description: The gh cli is GitHub’s official command line tool. A security vulnerability has been identified in the GitHub CLI that could leak authentication tokens when cloning repositories containing git submodules hosted outside of GitHub.com and ghe.com. This vulnerability stems from several gh commands used to clone a repository with submodules from a non-GitHub host including gh repo clone, gh repo fork, and gh pr checkout. These GitHub CLI commands invoke git with instructions to retrieve authentication tokens using the credential.helper configuration variable for any host encountered....

References:

• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-53858
• WEB: https://git-scm.com/docs/gitcredentials
• WEB: https://github.com/cli/cli/security/advisories/GHSA-jwcm-9g39-pmcw

Cross references:

• github.com/cli/cli appears in 2 other report(s):
  • data/reports/GO-2022-0395.yaml (https://github.com/golang/vulndb/issues/395)
  • data/reports/GO-2024-3269.yaml (https://github.com/golang/vulndb/issues/3269)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/cli/cli
      vulnerable_at: 1.14.0
summary: CVE-2024-53858 in github.com/cli/cli
cves:
    - CVE-2024-53858
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-53858
    - web: https://git-scm.com/docs/gitcredentials
    - web: https://github.com/cli/cli/security/advisories/GHSA-jwcm-9g39-pmcw
source:
    id: CVE-2024-53858
    created: 2024-11-27T23:01:48.600472323Z
review_status: UNREVIEWED