6.3

CVSS Score

4.0

-

CVSS Score

Basic Information

CVE ID

CVE-2024-54132

GHSA ID

GHSA-2m9h-r57g-45pj

EPSS Score

0.26678%

CWE

CWE-22

Published

12/4/2024

Updated

12/4/2024

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-54132

CVE-2024-54132: Downloading malicious GitHub Actions workflow artifact results in path traversal vulnerability

Summary

A security vulnerability has been identified in GitHub CLI that could create or overwrite files in unintended directories when users download a malicious GitHub Actions workflow artifact through gh run download.

Details

This vulnerability stems from a GitHub Actions workflow artifact named .. when downloaded using gh run download. The artifact name and --dir flag are used to determine the artifact’s download path. When the artifact is named .., the resulting files within the artifact are extracted exactly 1 directory higher than the specified --dir flag value.

In 2.63.1, gh run download will not download artifacts named .. and . and instead exit with the following error message:

error downloading ..: would result in path traversal

Impact

Successful exploitation heightens the risk of local path traversal attack vectors exactly 1 directory higher than intended.

Remediation and Mitigation

Upgrade gh to 2.63.1
Implement additional validation to ensure artifact filenames do not contain potentially dangerous patterns, such as .., to prevent path traversal risks.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-54132

CVE-2024-54132:

6.3

CVSS Score

4.0

-

CVSS Score

Basic Information

CVE ID

CVE-2024-54132

GHSA ID

GHSA-2m9h-r57g-45pj

EPSS Score

0.26678%

CWE

CWE-22

Published

12/4/2024

Updated

12/4/2024

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/cli/cli/v2	go	< 2.63.1	2.63.1
github.com/cli/cli	go	<= 1.14.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from two key issues: 1) In download.go, the runDownload() function combined user-controlled artifact names with target directories without sufficient validation, particularly dangerous when artifact names contained '..'. 2) The original filepathDescendsFrom() function in zip.go had inadequate path traversal detection. The commit added critical checks in both locations - a new path validation guard clause in runDownload() and improved relative path calculation in filepathDescendsFrom(). The test cases in download_test.go specifically demonstrate handling of '..' artifact names, confirming these were the vulnerable points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-54132: Downloading malicious GitHub Actions workflow artifact results in path traversal vulnerability

Summary

Details

Impact

Remediation and Mitigation

CVE-2024-54132:

6.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2024-54132: Downloading malicious GitHub Actions workflow artifact results in path traversal vulnerability

Summary

Details

Impact

Remediation and Mitigation

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

6.3

6.3

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI