CVE-2024-25129 – Limited data exfiltration in CodeQL CLI

https://notcve.org/view.php?id=CVE-2024-25129

The CodeQL CLI repo holds binaries for the CodeQL command line interface (CLI). Prior to version 2.16.3, an XML parser used by the CodeQL CLI to read various auxiliary files is vulnerable to an XML External Entity attack. If a vulnerable version of the CLI is used to process either a maliciously modified CodeQL database, or a specially prepared set of QL query sources, the CLI can be made to make an outgoing HTTP request to an URL that contains material read from a local file chosen by the attacker. This may result in a loss of privacy of exfiltration of secrets. Security researchers and QL authors who receive databases or QL source files from untrusted sources may be impacted. • https://github.com/github/codeql-cli-binaries/releases/tag/v2.16.3 https://github.com/github/codeql-cli-binaries/security/advisories/GHSA-gf8p-v3g3-3wph https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-611/XXELocal.ql • CWE-611: Improper Restriction of XML External Entity Reference •