CVE-2024-54132

Publication date 4 December 2024

Last updated 11 December 2024

Ubuntu priority

The GitHub CLI is GitHub’s official command line tool. A security vulnerability has been identified in GitHub CLI that could create or overwrite files in unintended directories when users download a malicious GitHub Actions workflow artifact through gh run download. This vulnerability stems from a GitHub Actions workflow artifact named .. when downloaded using gh run download. The artifact name and --dir flag are used to determine the artifact’s download path. When the artifact is named .., the resulting files within the artifact are extracted exactly 1 directory higher than the specified --dir flag value. This vulnerability is fixed in 2.63.1.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
gh	24.10 oracular	Needs evaluation
	24.04 LTS noble	Needs evaluation
	22.04 LTS jammy	Needs evaluation
	20.04 LTS focal	Not in release

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2024-54132
https://github.com/cli/cli/security/advisories/GHSA-2m9h-r57g-45pj
https://github.com/cli/cli/commit/1136764c369aaf0cae4ec2ee09dc35d871076932