Summary A security vulnerability has been identified in go-gh that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace. Details go-gh sources authentication tokens from different environment variables depending on the host involved: GITHUB_TOKEN, GH_TOKEN for GitHub.com and ghe.com GITHUB_ENTERPRISE_TOKEN, GH_ENTERPRISE_TOKEN for GitHub Enterprise Server Prior to 2.11.1, auth.TokenForHost could source a token from the GITHUB_TOKEN environment variable for a host other than GitHub.com or ghe.com when within a codespace. In 2.11.1, auth.TokenForHost will only source a token from the GITHUB_TOKEN environment variable for GitHub.com or ghe.com hosts. Impact Successful exploitation could send authentication token to an unintended host. Remediation and mitigation Upgrade go-gh to 2.11.1 Advise extension users to regenerate authentication tokens: Personal access tokens GitHub CLI OAuth app Advise extension users to review their personal security log and any relevant audit logs for actions associated with their account or…Read More
References
Back to Main