Arbitrary Code Execution Affecting github.com/cli/cli/pkg/cmd/alias/expand package, versions <1.2.1
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMCLICLIPKGCMDALIASEXPAND-7895539
- published 4 Sep 2024
- disclosed 11 Feb 2022
- credit Dawid Golunski
How to fix?
Upgrade github.com/cli/cli/pkg/cmd/alias/expand
to version 1.2.1 or higher.
Overview
Affected versions of this package are vulnerable to Arbitrary Code Execution. GitHub CLI depends on a git.exe
executable being found in the system %PATH%
on Windows. When a malicious .\git.exe
or .\git.bat
is found in the current working directory at the time of running gh
, the malicious command will be invoked instead of the system one.
Note:
Windows users who run gh
inside untrusted directories are affected.
References
CVSS Scores
version 3.1