x/vulndb: potential Go vuln in github.com/cli/go-gh: CVE-2024-53859

[GoVulnBot]

Advisory CVE-2024-53859 references a vulnerability in the following Go modules:

Module
github.com/cli/go-gh

Description: go-gh is a Go module for interacting with the gh utility and the GitHub API from the command line. A security vulnerability has been identified in go-gh that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace. go-gh sources authentication tokens from different environment variables depending on the host involved: 1. GITHUB_TOKEN, GH_TOKEN for GitHub.com and ghe.com and 2. GITHUB_ENTERPRISE_TOKEN, GH_ENTERPRISE_TOKEN for GitHub Enterprise Server. Prior to version 2.11.1, auth.TokenForHost could source a token from the `GITHUB...

References:

• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-53859
• WEB: https://docs.github.com/en/apps/using-github-apps/reviewing-and-revoking-authorization-of-github-apps#reviewing-your-authorized-github-apps
• WEB: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/reviewing-your-security-log
• WEB: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token
• WEB: https://docs.github.com/en/enterprise-cloud@latest/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens
• WEB: https://github.com/cli/go-gh/blob/71770357e0cb12867d3e3e288854c0aa09d440b7/pkg/auth/auth.go#L73-L77
• WEB: https://github.com/cli/go-gh/security/advisories/GHSA-55v3-xh23-96gh

No existing reports found with this module or alias. See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/cli/go-gh
      vulnerable_at: 1.2.1
summary: CVE-2024-53859 in github.com/cli/go-gh
cves:
    - CVE-2024-53859
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-53859
    - web: https://docs.github.com/en/apps/using-github-apps/reviewing-and-revoking-authorization-of-github-apps#reviewing-your-authorized-github-apps
    - web: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/reviewing-your-security-log
    - web: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token
    - web: https://docs.github.com/en/enterprise-cloud@latest/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens
    - web: https://github.com/cli/go-gh/blob/71770357e0cb12867d3e3e288854c0aa09d440b7/pkg/auth/auth.go#L73-L77
    - web: https://github.com/cli/go-gh/security/advisories/GHSA-55v3-xh23-96gh
source:
    id: CVE-2024-53859
    created: 2024-11-27T23:01:49.125718947Z
review_status: UNREVIEWED

[tatianab]

Duplicate of #3295