Executive Summary

The vulnerability in GitHub CLI (gh) occurs because the tool incorrectly includes authorization headers in API requests to TUF repository mirrors when using the commands gh attestation, gh release verify, and gh release verify-asset.

This happens due to a flaw in the CLI's HTTP client authentication layer, which fails to properly detect the target host. Specifically, it treats any subdomain of github.com (like tuf-repo.github.com) as github.com itself, causing the user's GitHub token to be sent to unintended hosts.

Additionally, for hosts that do not match github.com or known GitHub Enterprise Server instances, the client falls back to using enterprise tokens if set, potentially exposing those tokens to external hosts.

This means that authentication tokens could be sent to external domains that are not part of the GitHub API, potentially exposing sensitive credentials.

Useful 0 Not Useful 0

Impact Analysis

If an attacker were to capture the exposed tokens, they could gain unauthorized access to private repositories, organization resources, or enterprise administration, depending on the permissions associated with the token.

This could lead to a compromise of confidentiality and integrity of your GitHub resources.

Although there is no evidence that tokens were logged, retained, or accessed by unauthorized parties, the potential impact is significant.

To mitigate this risk, users should revoke any authentication tokens used with GitHub CLI, upgrade to version 2.93.0 or later, and monitor security logs for suspicious activity.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves GitHub CLI sending authorization tokens to unintended external hosts when running certain commands. Detection can focus on monitoring network traffic for unauthorized transmission of GitHub tokens to domains such as tuf-repo.github.com, tuf-repo-cdn.sigstore.dev, and Azure Blob Storage endpoints like tmaproduction.blob.core.windows.net.

You can inspect network traffic or logs for outgoing HTTP requests containing authorization headers to these external hosts.

Suggested commands include using network monitoring tools or command-line utilities such as:

• Using tcpdump or tshark to capture HTTP traffic and filter for authorization headers sent to the affected domains.
• Example tcpdump command: sudo tcpdump -i any -A -s 0 'tcp port 443' | grep -i 'authorization'
• Using curl or similar tools to manually test the commands `gh attestation`, `gh release verify`, and `gh release verify-asset` and observe if tokens are sent to unintended hosts.

Additionally, reviewing GitHub CLI logs or enabling verbose/debug mode may help identify if tokens are being sent to unexpected endpoints.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should immediately upgrade GitHub CLI to version 2.93.0 or later, where the issue is fixed.

Additionally, revoke any authentication tokens used with GitHub CLI to prevent potential misuse if tokens were exposed.

It is also recommended to review security logs for any suspicious activity that might indicate token misuse.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability involves unauthorized exposure of authentication tokens to unintended external hosts, which could potentially lead to unauthorized access to private repositories and organizational resources.

Such unauthorized token exposure may impact compliance with data protection standards and regulations like GDPR and HIPAA, as it risks confidentiality and integrity of sensitive data accessed via these tokens.

Although there is no evidence that tokens were logged, retained, or accessed by unauthorized parties, the potential for token capture could lead to violations of these regulations if sensitive data were accessed or disclosed.

Mitigation steps include revoking affected tokens, upgrading to a fixed version, and reviewing security logs, which are important actions to maintain compliance and reduce risk.

Useful 0 Not Useful 0