fkie_cve-2025-25204
Vulnerability from fkie_nvd
Published
2025-02-14 17:15
Modified
2025-02-14 17:15
Severity ?
6.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N
Summary
`gh` is GitHub’s official command line tool. Starting in version 2.49.0 and prior to version 2.67.0, under certain conditions, a bug in GitHub's Artifact Attestation cli tool `gh attestation verify` causes it to return a zero exit status when no attestations are present. This behavior is incorrect: When no attestations are present, `gh attestation verify` should return a non-zero exit status code, thereby signaling verification failure. An attacker can abuse this flaw to, for example, deploy malicious artifacts in any system that uses `gh attestation verify`'s exit codes to gatekeep deployments. Users are advised to update `gh` to patched version `v2.67.0` as soon as possible.
References
security-advisories@github.comhttps://github.com/cli/cli/issues/10418
security-advisories@github.comhttps://github.com/cli/cli/pull/10421
security-advisories@github.comhttps://github.com/cli/cli/security/advisories/GHSA-fgw4-v983-mgp8
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "`gh` is GitHub\u2019s official command line tool. Starting in version 2.49.0 and prior to version 2.67.0, under certain conditions, a bug in GitHub\u0027s Artifact Attestation cli tool `gh attestation verify` causes it to return a zero exit status when no attestations are present. This behavior is incorrect: When no attestations are present, `gh attestation verify` should return a non-zero exit status code, thereby signaling verification failure. An attacker can abuse this flaw to, for example, deploy malicious artifacts in any system that uses `gh attestation verify`\u0027s exit codes to gatekeep deployments. Users are advised to update `gh` to patched version `v2.67.0` as soon as possible."
    },
    {
      "lang": "es",
      "value": "`gh` es la herramienta de l\u00ednea de comandos oficial de GitHub. A partir de la versi\u00f3n 2.49.0 y antes de la versi\u00f3n 2.67.0, bajo ciertas condiciones, un error en la herramienta de l\u00ednea de comandos Artifact Attestation de GitHub `gh attestation verified` hace que devuelva un estado de salida cero cuando no hay atestaciones presentes. Este comportamiento es incorrecto: cuando no hay atestaciones presentes, `gh attestation verified` debe devolver un c\u00f3digo de estado de salida distinto de cero, lo que indica un error de verificaci\u00f3n. Un atacante puede aprovechar esta falla para, por ejemplo, implementar artefactos maliciosos en cualquier sistema que use los c\u00f3digos de salida de `gh attestation verified` para controlar las implementaciones. Se recomienda a los usuarios actualizar `gh` a la versi\u00f3n parcheada `v2.67.0` lo antes posible."
    }
  ],
  "id": "CVE-2025-25204",
  "lastModified": "2025-02-14T17:15:19.140",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 4.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-02-14T17:15:19.140",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/cli/cli/issues/10418"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/cli/cli/pull/10421"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/cli/cli/security/advisories/GHSA-fgw4-v983-mgp8"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-390"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.