Arbitrary Code Execution The advisory has been revoked - it doesn't affect any version of package github.com/cli/cli/v2/pkg/cmd/pr/checkout (opens in a new tab)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Arbitrary Code Execution vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-GOLANG-GITHUBCOMCLICLIV2PKGCMDPRCHECKOUT-2400653
- published13 Feb 2022
- disclosed11 Feb 2022
- creditDawid Golunski
Introduced: 11 Feb 2022
CVE NOT AVAILABLE CWE-94 (opens in a new tab)Amendment
This was deemed not a vulnerability.
Overview
github.com/cli/cli/v2/pkg/cmd/pr/checkout is a GitHub on the command line. It brings pull requests, issues, and other GitHub concepts to the terminal next to where you are already working with git and your code.
Affected versions of this package are vulnerable to Arbitrary Code Execution. GitHub CLI depends on a git.exe executable being found in the system %PATH% on Windows. When a malicious .\git.exe or .\git.bat is found in the current working directory at the time of running gh, the malicious command will be invoked instead of the system one.
Note:
Windows users who run gh inside untrusted directories are affected.