CVE-2024-54132
CVSS V2 None
CVSS V3 None
Description
The GitHub CLI is GitHub’s official command line tool. A security vulnerability has been identified in GitHub CLI that could create or overwrite files in unintended directories when users download a malicious GitHub Actions workflow artifact through gh run download. This vulnerability stems from a GitHub Actions workflow artifact named .. when downloaded using gh run download. The artifact name and --dir flag are used to determine the artifact’s download path. When the artifact is named .., the resulting files within the artifact are extracted exactly 1 directory higher than the specified --dir flag value. This vulnerability is fixed in 2.63.1.
Overview
- CVE ID
- CVE-2024-54132
- Assigner
- GitHub_M
- Vulnerability Status
- PUBLISHED
- Published Version
- 2024-12-04T15:29:07.426Z
- Last Modified Date
- 2024-12-04T21:40:02.517Z
Weakness Enumerations
References
Reference URL | Reference Tags |
---|---|
https://github.com/cli/cli/security/advisories/GHSA-2m9h-r57g-45pj | x_refsource_CONFIRM |
https://github.com/cli/cli/commit/1136764c369aaf0cae4ec2ee09dc35d871076932 | x_refsource_MISC |
Sources
Source Name | Source URL |
---|---|
NIST | https://nvd.nist.gov/vuln/detail/CVE-2024-54132 |
MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54132 |
History
Created | Old Value | New Value | Data Type | Notes |
---|---|---|---|---|
2024-12-05 13:08:55 | Added to TrackCVE |