6.3

CVSS Score

4.0

Basic Information

CVE ID

CVE-2024-54132

GHSA ID

GHSA-2m9h-r57g-45pj

EPSS Score

0.26678%

CWE

CWE-22

Published

12/4/2024

Updated

12/4/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-54132

CVE-2024-54132: Downloading malicious GitHub Actions workflow artifact results in path traversal vulnerability

Summary

A security vulnerability has been identified in GitHub CLI that could create or overwrite files in unintended directories when users download a malicious GitHub Actions workflow artifact through gh run download.

Details

This vulnerability stems from a GitHub Actions workflow artifact named .. when downloaded using gh run download. The artifact name and --dir flag are used to determine the artifact’s download path. When the artifact is named .., the resulting files within the artifact are extracted exactly 1 directory higher than the specified --dir flag value.

In 2.63.1, gh run download will not download artifacts named .. and . and instead exit with the following error message:

error downloading ..: would result in path traversal

Impact

Successful exploitation heightens the risk of local path traversal attack vectors exactly 1 directory higher than intended.

Remediation and Mitigation

Upgrade gh to 2.63.1
Implement additional validation to ensure artifact filenames do not contain potentially dangerous patterns, such as .., to prevent path traversal risks.

(GitHub Advisory)

6.3

CVSS Score

4.0

Basic Information

CVE ID

CVE-2024-54132

GHSA ID

GHSA-2m9h-r57g-45pj

EPSS Score

0.26678%

CWE

CWE-22

Published

12/4/2024

Updated

12/4/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/cli/cli/v2	go	< 2.63.1	2.63.1
github.com/cli/cli	go	<= 1.14.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from two key issues: 1) In download.go, the runDownload() function combined user-controlled artifact names with target directories without sufficient validation, particularly dangerous when artifact names contained '..'. 2) The original filepathDescendsFrom() function in zip.go had inadequate path traversal detection. The commit added critical checks in both locations - a new path validation guard clause in runDownload() and improved relative path calculation in filepathDescendsFrom(). The test cases in download_test.go specifically demonstrate handling of '..' artifact names, confirming these were the vulnerable points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry * s**urity vuln*r**ility **s ***n i**nti*i** in *it*u* *LI t**t *oul* *r**t* or ov*rwrit* *il*s in unint*n*** *ir**tori*s w**n us*rs *ownlo** * m*li*ious *it*u* **tions work*low *rti***t t*rou** `** run *ownlo**`. ### **t*ils T*is vul

Reasoning

T** vuln*r**ility st*mm** *rom two k*y issu*s: *) In `*ownlo**.*o`, t** `run*ownlo**()` *un*tion *om*in** us*r-*ontroll** *rti***t n*m*s wit* t*r**t *ir**tori*s wit*out su**i*i*nt v*li**tion, p*rti*ul*rly **n**rous w**n *rti***t n*m*s *ont*in** '..'.

6.3

Basic Information

Concerned about an active attack path?

CVE-2024-54132: Downloading malicious GitHub Actions workflow artifact results in path traversal vulnerability

Summary

Details

Impact

Remediation and Mitigation

6.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI