CVE-2024-52308
Published: 14 November 2024
Summary
CVE-2024-52308 is a high-severity Command Injection (CWE-77) vulnerability in Github Cli. Its CVSS base score is 8.0 (High).
Operationally, ranked in the top 8.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability is a command injection flaw (CWE-77) in the GitHub CLI versions 2.6.1 and earlier. It affects the `gh codespace ssh` and `gh codespace logs` commands, which retrieve untrusted SSH connection details—including the remote username—from an SSH server running inside a devcontainer and pass those details directly to the local ssh binary without validation.
An attacker who controls a third-party devcontainer can run a malicious SSH server that supplies a crafted remote username containing ssh options such as `-oProxyCommand="echo hacked" #`. When a victim later invokes either of the affected commands against that codespace, the injected arguments cause the local ssh client to execute arbitrary code on the user’s workstation. The attack requires the victim to connect to the attacker’s codespace and has a CVSS score of 8.0.
The official advisory GHSA-p2h2-3vg9-4p87 states that the issue is fixed in GitHub CLI 2.62.0 by validating the remote username before it is used in ssh command construction. The EPSS score has remained flat at 0.0753 with no observed rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-3287
Vulnerability details
The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using `gh codespace ssh` or `gh codespace logs` commands. This has been patched in the cli v2.62.0. Developers connect to…
more
remote codespaces through an SSH server running within the devcontainer, which is generally provided through the [default devcontainer image]( https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-... https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/introduction-to-dev-containers#using-the-default-dev-container-configuration) . GitHub CLI [retrieves SSH connection details]( https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/inv... https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/invoker.go#L230-L244 ), such as remote username, which is used in [executing `ssh` commands]( https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L2... https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L263 ) for `gh codespace ssh` or `gh codespace logs` commands. This exploit occurs when a malicious third-party devcontainer contains a modified SSH server that injects `ssh` arguments within the SSH connection details. `gh codespace ssh` and `gh codespace logs` commands could execute arbitrary code on the user's workstation if the remote username contains something like `-oProxyCommand="echo hacked" #`. The `-oProxyCommand` flag causes `ssh` to execute the provided command while `#` shell comment causes any other `ssh` arguments to be ignored. In `2.62.0`, the remote username information is being validated before being used.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.