CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52308 – Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer
https://notcve.org/view.php?id=CVE-2024-52308
The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using `gh codespace ssh` or `gh codespace logs` commands. This has been patched in the cli v2.62.0. Developers connect to remote codespaces through an SSH server running within the devcontainer, which is generally provided through the [default devcontainer image]( https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-... https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/introduction-to-dev-containers#using-the-default-dev-container-configuration) . GitHub CLI [retrieves SSH connection details]( https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/inv... https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/invoker.go#L230-L244 ), such as remote username, which is used in [executing `ssh` commands]( https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L2... https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L263 ) for `gh codespace ssh` or `gh codespace logs` commands. This exploit occurs when a malicious third-party devcontainer contains a modified SSH server that injects `ssh` arguments within the SSH connection details. `gh codespace ssh` and `gh codespace logs` commands could execute arbitrary code on the user's workstation if the remote username contains something like `-oProxyCommand="echo hacked" #`. The `-oProxyCommand` flag causes `ssh` to execute the provided command while `#` shell comment causes any other `ssh` arguments to be ignored. In `2.62.0`, the remote username information is being validated before being used. • https://github.com/cli/cli/security/advisories/GHSA-p2h2-3vg9-4p87 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1CVE-2022-40764
https://notcve.org/view.php?id=CVE-2022-40764
Snyk CLI before 1.996.0 allows arbitrary command execution, affecting Snyk IDE plugins and the snyk npm package. Exploitation could follow from the common practice of viewing untrusted files in the Visual Studio Code editor, for example. The original demonstration was with shell metacharacters in the vendor.json ignore field, affecting snyk-go-plugin before 1.19.1. This affects, for example, the Snyk TeamCity plugin (which does not update automatically) before 20220930.142957. Snyk CLI versiones anteriores a 1.996.0, permite una ejecución de comandos arbitraria, afectando a los plugins de Snyk IDE y al paquete snyk npm. • https://github.com/snyk/cli/releases/tag/v1.996.0 https://github.com/snyk/snyk-go-plugin/releases/tag/v1.19.1 https://support.snyk.io/hc/en-us/articles/7015908293789-CVE-2022-40764-Command-Injection-vulnerability-affecting-Snyk-CLI-versions-prior-to-1-996-0 https://www.imperva.com/blog/how-scanning-your-projects-for-security-issues-can-lead-to-remote-code-execution • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 4.9EPSS: 0%CPEs: 2EXPL: 2CVE-2016-10538
https://notcve.org/view.php?id=CVE-2016-10538
The package `node-cli` before 1.0.0 insecurely uses the lock_file and log_file. Both of these are temporary, but it allows the starting user to overwrite any file they have access to. El paquete node-cli, en versiones anteriores a la 1.0.0, emplea de forma insegura lock_file y log_file. Ambos son temporales, pero permite que el usuario inicial sobrescriba cualquier archivo al que tenga acceso. • https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809252 https://github.com/node-js-libs/cli/issues/81 https://nodesecurity.io/advisories/95 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 6.6EPSS: 0%CPEs: 1EXPL: 0CVE-2007-4027
https://notcve.org/view.php?id=CVE-2007-4027
Buffer overflow in cli32 in Areca CLI 1.72.250 and earlier might allow local users to gain privileges via a long argument. NOTE: this program is not setuid by default, but there are some usage scenarios in which an administrator might make it setuid. Desbordamiento de búfer en el cli32 del Areca CLI 1.72.250 y versiones anteriores puede permitir a usuarios locales la obtención de privilegios mediante un argumento largo. NOTA: este programa no es de tipo setuid por defecto, pero hay algunos escenarios de uso, en los cuales el administrador puede hacerlo de este tipo. • http://osvdb.org/38999 http://securityreason.com/securityalert/2928 http://www.devtarget.org/areca-advisory-07-2007.txt http://www.securityfocus.com/archive/1/474415/100/0/threaded https://exchange.xforce.ibmcloud.com/vulnerabilities/35546 •