Summary A security vulnerability has been identified in go-gh that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace. Details go-gh sources authentication tokens from different environment variables depending on the host involved: GITHUB_TOKEN, GH_TOKEN for GitHub.com and ghe.com GITHUB_ENTERPRISE_TOKEN, GH_ENTERPRISE_TOKEN for GitHub Enterprise Server Prior to 2.11.1, auth.TokenForHost could source a token from the GITHUB_TOKEN environment variable for a host other than GitHub.com or ghe.com when within a codespace. In 2.11.1, auth.TokenForHost will only source a token from the GITHUB_TOKEN environment variable for GitHub.com or ghe.com hosts. Impact Successful exploitation could send authentication token to an unintended host. Remediation and mitigation Upgrade go-gh to 2.11.1 Advise extension users to regenerate authentication tokens: Personal access tokens GitHub CLI OAuth app Advise extension users to review their personal security log and any relevant audit logs for actions associated with their account or…Read More
