GitHub命令列存在高風險漏洞,攻擊者有機會遠端執行任意程式碼
支付動態 · 2024-11-20
近期GitHub發布新版本2.62.0,主要是修補高風險漏洞CVE-2024-52308,並指出一旦攻擊者利用這項漏洞,就有機會從事遠端執行程式碼(RCE)攻擊
11月15日GitHub開發團隊指出,該程式碼儲存庫存在高風險漏洞CVE-2024-52308,這項漏洞出現於其命令列介面(CLI),一旦遭到利用,在使用者連線到惡意的Codespace SSH伺服器,並下達gh codespace ssh或gh codespace logs命令的情況下,攻擊者就有機會遠端執行任意程式碼(RCE),CVSS風險評為8.1,GitHub發布2.62.0版修補。
對於這項弱點發生的原因,GitHub表示起因是命令列介面在執行命令的過程當中,處理SSH連線導致。當開發人員連線到遠端的Codespace,通常會使用執行開發容器(devcontainer)的SSH伺服器來存取,而這類容器的建置,通常是使用預設的映象檔來進行。
一旦外部的惡意開發容器在SSH伺服器注入,並透過相關參數帶入SSH連線詳細資料,此時攻擊者就有機會藉由gh codespace ssh或gh codespace logs命令,於使用者的工作站電腦執行任意程式碼,甚至有可能藉此存取系統上使用者的資料。
對此,開發團隊發布新版修補上述漏洞,若是無法及時更新,IT人員應該在導入開發容器映像檔的過程特別留意,最好採用受信任來源的映像檔。
Popular articles
1spin4win releases unique slot Don Catleone Hold and Win featuring gangster cats
Online Game
B2B Tech Infrastructure Gains Momentum in Philippine Gaming Sector
Southeast Asia
Are you ready to maximize your earnings? Try ProPush.me Constructor!
Marketing
New Jersey July Gambling Revenue Hits $606M, Sweeps Casinos Banned
Regulation
HUIDU Invites You to Booth T70 at iGB L!VE 2026 — Let’s Ignite London This July!
HUIDU Focus
Across 6 Cities: HUIDU Invites You to 8 World Cup Parties Redefining High-Value Social Networking
HUIDU Focus
Full House at GAT Expo Cartagena 2026 Academic Agenda
Online Game
Institutional Academy that exceeded expectations marked the opening of GAT CDMX
Online Game
Indiana online casino bill stalls in House committee
Regulation
JILI Partners with Cricket Legend AB de Villiers (ABD) to Launch Exclusive Branded Game Series 100% 11
Sports Game
Brazil Proposes Raising Gambling Tax Rate to 24%, With Revenue Allocated to Social Security and Healthcare
Regulation
PropellerAds Shared a New iGaming Case Study: 97,674 Installs and 12,701 Deposits in 3 Months
Marketing
GGC Awards 2026 Shines in Colombo: Honoring Leaders and Innovators in the iGaming Industry
HUIDU Focus
Super PAC Raises $48 Million: Sports Betting Forces Ramp Up Political Push
Regulation
Kazakhstan plans to penalise online casino promotions
Regulation
