6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-53858

GHSA ID

GHSA-jwcm-9g39-pmcw

EPSS Score

0.12497%

CWE

CWE-200

Published

11/27/2024

Updated

12/2/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-53858

CVE-2024-53858: Recursive repository cloning can leak authentication tokens to non-GitHub submodule hosts

Summary

A security vulnerability has been identified in the GitHub CLI that could leak authentication tokens when cloning repositories containing git submodules hosted outside of GitHub.com and ghe.com.

Details

This vulnerability stems from several gh commands used to clone a repository with submodules from a non-GitHub host including gh repo clone, gh repo fork, gh pr checkout. These GitHub CLI commands invoke git with instructions to retrieve authentication tokens using the credential.helper configuration variable for any host encountered.

Prior to 2.63.0, hosts other than GitHub.com and ghe.com are treated as GitHub Enterprise Server hosts and have tokens sourced from the following environment variables before falling back to host-specific tokens stored within system-specific secured storage:

GITHUB_ENTERPRISE_TOKEN
GH_ENTERPRISE_TOKEN
GITHUB_TOKEN when CODESPACES environment variable is set

The result being git sending authentication tokens when cloning submodules.

In 2.63.0, these GitHub CLI commands will limit the hosts for which gh acts as a credential helper to source authentication tokens. Additionally, GITHUB_TOKEN will only be used for GitHub.com and ghe.com.

Impact

Successful exploitation could lead to a third-party using leaked authentication tokens to access privileged resources.

Remediation and mitigation

Upgrade gh to 2.63.0
Revoke authentication tokens used with the GitHub CLI:
- Personal access tokens
- GitHub CLI OAuth app
Review your personal security log and any relevant audit logs for actions associated with your account or enterprise

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-53858

GHSA ID

GHSA-jwcm-9g39-pmcw

EPSS Score

0.12497%

CWE

CWE-200

Published

11/27/2024

Updated

12/2/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/cli/cli/v2	go	<= 2.62.0	2.63.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from GitHub CLI commands (clone/fork/pr checkout) invoking Git with unrestricted credential.helper configurations. The key failure points are: 1) Command implementations that didn't limit credential helper activation to GitHub domains, 2) Credential management logic that leaked enterprise tokens to third-party hosts, and 3) Environment variable handling that inappropriately sourced tokens for non-GitHub operations. The patch in 2.63.0 explicitly restricts credential helper usage to GitHub-controlled domains, confirming these were the vulnerable areas.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry * s**urity vuln*r**ility **s ***n i**nti*i** in t** *it*u* *LI t**t *oul* l**k *ut**nti**tion tok*ns w**n *lonin* r*positori*s *ont*inin* `*it` su*mo*ul*s *ost** outsi** o* *it*u*.*om *n* ***.*om. ### **t*ils T*is vuln*r**ility st*ms *

Reasoning

T** vuln*r**ility st*ms *rom *it*u* *LI *omm*n*s (*lon*/*ork/pr ****kout) invokin* *it wit* unr*stri*t** `*r***nti*l.**lp*r` *on*i*ur*tions. T** k*y **ilur* points *r*: *) *omm*n* impl*m*nt*tions t**t *i*n't limit `*r***nti*l` **lp*r **tiv*tion to `*

6.5

Basic Information

Concerned about an active attack path?

CVE-2024-53858: Recursive repository cloning can leak authentication tokens to non-GitHub submodule hosts

Summary

Details

Impact

Remediation and mitigation

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI