Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
`gh attestation verify` returns incorrect exit code during verification if no attestations are present
Vulnerability Description
`gh` is GitHub’s official command line tool. Starting in version 2.49.0 and prior to version 2.67.0, under certain conditions, a bug in GitHub's Artifact Attestation cli tool `gh attestation verify` causes it to return a zero exit status when no attestations are present. This behavior is incorrect: When no attestations are present, `gh attestation verify` should return a non-zero exit status code, thereby signaling verification failure. An attacker can abuse this flaw to, for example, deploy malicious artifacts in any system that uses `gh attestation verify`'s exit codes to gatekeep deployments. Users are advised to update `gh` to patched version `v2.67.0` as soon as possible.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N
Vulnerability Type
未有动作错误条件的检测
Vulnerability Title
GitHub CLI 安全漏洞
Vulnerability Description
GitHub CLI是GitHub CLI开源的一个命令行上的 GitHub。 GitHub CLI 2.49.0至2.67.0之前版本存在安全漏洞,该漏洞源于gh attestation verify工具返回状态错误,会导致攻击者部署恶意工件。
CVSS Information
N/A
Vulnerability Type
N/A