Unknown
CVE-2024-52308
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2024-52308
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using gh codespace ssh or gh codespace logs commands. This has been patched in the cli v2.62.0.
Developers connect to remote codespaces through an SSH server running within the devcontainer, which is generally provided through the default devcontainer image . GitHub CLI retrieves SSH connection details, such as remote username, which is used in executing ssh commands for gh codespace ssh or gh codespace logs commands.
This exploit occurs when a malicious third-party devcontainer contains a modified SSH server that injects ssh arguments within the SSH connection details. gh codespace ssh and gh codespace logs commands could execute arbitrary code on the user’s workstation if the remote username contains something like -oProxyCommand="echo hacked" #. The -oProxyCommand flag causes ssh to execute the provided command while # shell comment causes any other ssh arguments to be ignored.
In 2.62.0, the remote username information is being validated before being used.
Add Assessment
No one has assessed this topic. Be the first to add your voice to the community.
CVSS V3 Severity and Metrics
General Information
Vendors
- github
Products
- cli
References
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
