{"id":"CVE-2024-35183","summary":"wolfictl leaks GitHub tokens to remote non-GitHub git servers","details":"wolfictl is a command line tool for working with Wolfi. A git authentication issue in versions prior to 0.16.10 allows a local user’s GitHub token to be sent to remote servers other than `github.com`. Most git-dependent functionality in wolfictl relies on its own `git` package, which contains centralized logic for implementing interactions with git repositories. Some of this functionality requires authentication in order to access private repositories. A central function `GetGitAuth` looks for a GitHub token in the environment variable `GITHUB_TOKEN` and returns it as an HTTP basic auth object to be used with the `github.com/go-git/go-git/v5` library. Most callers (direct or indirect) of `GetGitAuth` use the token to authenticate to github.com only; however, in some cases callers were passing this authentication without checking that the remote git repository was hosted on github.com. This behavior has existed in one form or another since commit 0d06e1578300327c212dda26a5ab31d09352b9d0 - committed January 25, 2023. This impacts anyone who ran the `wolfictl check update` commands with a Melange configuration that included a `git-checkout` directive step that referenced a git repository not hosted on github.com. This also impacts anyone who ran `wolfictl update \u003curl\u003e` with a remote URL outside of github.com. Additionally, these subcommands must have run with the `GITHUB_TOKEN` environment variable set to a valid GitHub token. Users should upgrade to version 0.16.10 to receive a patch.","aliases":["GHSA-8fg7-hp93-qhvr","GO-2024-2863"],"modified":"2026-04-02T12:16:28.456095Z","published":"2024-05-15T21:24:23.656Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-552","CWE-668"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/35xxx/CVE-2024-35183.json"},"references":[{"type":"WEB","url":"https://github.com/wolfi-dev/wolfictl/blob/488b53823350caa706de3f01ec0eded9350c7da7/pkg/update/update.go#L143"},{"type":"WEB","url":"https://github.com/wolfi-dev/wolfictl/blob/4dd6c95abb4bc0f9306350a8601057bd7a92bded/pkg/update/deps/cleanup.go#L49"},{"type":"WEB","url":"https://github.com/wolfi-dev/wolfictl/blob/6d99909f7b1aa23f732d84dad054b02a61f530e6/pkg/git/git.go#L22"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/35xxx/CVE-2024-35183.json"},{"type":"ADVISORY","url":"https://github.com/wolfi-dev/wolfictl/security/advisories/GHSA-8fg7-hp93-qhvr"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35183"},{"type":"FIX","url":"https://github.com/wolfi-dev/wolfictl/commit/0d06e1578300327c212dda26a5ab31d09352b9d0"},{"type":"FIX","url":"https://github.com/wolfi-dev/wolfictl/commit/403e93569f46766b4e26e06cf9cd0cae5ee0c2a2"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wolfi-dev/wolfictl","events":[{"introduced":"0"},{"fixed":"0d06e1578300327c212dda26a5ab31d09352b9d0"}]},{"type":"GIT","repo":"https://github.com/wolfi-dev/wolfictl","events":[{"introduced":"0"},{"fixed":"403e93569f46766b4e26e06cf9cd0cae5ee0c2a2"}]},{"type":"GIT","repo":"https://github.com/wolfi-dev/wolfictl","events":[{"introduced":"0"},{"fixed":"0d06e1578300327c212dda26a5ab31d09352b9d0"}]},{"type":"GIT","repo":"https://github.com/wolfi-dev/wolfictl","events":[{"introduced":"0"},{"fixed":"403e93569f46766b4e26e06cf9cd0cae5ee0c2a2"}]}],"versions":["v0.0.1","v0.0.2","v0.1.0","v0.1.1","v0.1.2","v0.1.3","v0.1.4","v0.1.5","v0.1.6","v0.1.7","v0.10.0","v0.10.1","v0.10.2","v0.10.3","v0.11.0","v0.11.1","v0.11.2","v0.11.3","v0.11.4","v0.11.5","v0.11.6","v0.12.0","v0.13.0","v0.14.0","v0.14.1","v0.14.10","v0.14.11","v0.14.12","v0.14.13","v0.14.14","v0.14.15","v0.14.16","v0.14.2","v0.14.3","v0.14.4","v0.14.5","v0.14.6","v0.14.7","v0.14.8","v0.14.9","v0.15.0","v0.15.1","v0.15.10","v0.15.11","v0.15.12","v0.15.13","v0.15.14","v0.15.15","v0.15.16","v0.15.17","v0.15.18","v0.15.19","v0.15.2","v0.15.3","v0.15.4","v0.15.5","v0.15.6","v0.15.7","v0.15.8","v0.15.9","v0.16.0","v0.16.1","v0.16.2","v0.16.3","v0.16.4","v0.16.5","v0.16.6","v0.16.7","v0.16.8","v0.16.9","v0.2.0","v0.3.0","v0.3.1","v0.3.2","v0.3.3","v0.4.0","v0.4.1","v0.4.2","v0.5.0","v0.5.1","v0.6.0","v0.7.0","v0.7.1","v0.7.2","v0.8.0","v0.8.1","v0.8.2","v0.8.3","v0.8.4","v0.8.5","v0.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-35183.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N"}]}