CVE-2024-35183 in wolfictl
Summary
by MITRE • 05/16/2024
wolfictl is a command line tool for working with Wolfi. A git authentication issue in versions prior to 0.16.10 allows a local user’s GitHub token to be sent to remote servers other than `github.com`. Most git-dependent functionality in wolfictl relies on its own `git` package, which contains centralized logic for implementing interactions with git repositories. Some of this functionality requires authentication in order to access private repositories. A central function `GetGitAuth` looks for a GitHub token in the environment variable `GITHUB_TOKEN` and returns it as an HTTP basic auth object to be used with the `github.com/go-git/go-git/v5` library. Most callers (direct or indirect) of `GetGitAuth` use the token to authenticate to github.com only; however, in some cases callers were passing this authentication without checking that the remote git repository was hosted on github.com. This behavior has existed in one form or another since commit 0d06e1578300327c212dda26a5ab31d09352b9d0 - committed January 25, 2023. This impacts anyone who ran the `wolfictl check update` commands with a Melange configuration that included a `git-checkout` directive step that referenced a git repository not hosted on github.com. This also impacts anyone who ran `wolfictl update ` with a remote URL outside of github.com. Additionally, these subcommands must have run with the `GITHUB_TOKEN` environment variable set to a valid GitHub token. Users should upgrade to version 0.16.10 to receive a patch.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/29/2025
The vulnerability CVE-2024-35183 affects wolfictl, a command line tool used for working with Wolfi distributions. This issue stems from a git authentication flaw that exists in versions prior to 016.10, creating a significant security risk for users who employ GitHub tokens with the tool. The core problem lies in how the tool handles authentication when interacting with git repositories, specifically within its centralized git package implementation. The `GetGitAuth` function, which serves as the primary authentication mechanism, retrieves GitHub tokens from the `GITHUB_TOKEN` environment variable and formats them as HTTP basic authentication objects for use with the `github.com/go-git/go-git/v5` library. This design flaw becomes particularly dangerous when the tool attempts to authenticate against remote repositories that are not hosted on github.com, as the authentication credentials are indiscriminately applied regardless of the target domain.
The vulnerability's operational impact extends across multiple wolfictl commands that rely on git functionality, particularly those involving repository checkout operations. When users execute `wolfictl check update` commands with Melange configurations containing `git-checkout` directives that reference repositories hosted outside of github.com, or when running `wolfictl update` with remote URLs that do not point to github.com, the system inadvertently forwards the GitHub token to these remote servers. This behavior has persisted since January 25, 2023, when commit 0d06e1578300327c212dda26a5ab31d09352b9d0 introduced the problematic code pattern. The flaw represents a clear violation of the principle of least privilege and demonstrates inadequate input validation for remote repository destinations, creating an attack surface where legitimate GitHub credentials could be misused against unauthorized systems.
This vulnerability aligns with several cybersecurity frameworks and threat models, particularly CWE-284, which addresses improper access control, and CWE-352, which covers cross-site request forgery. The issue also maps to ATT&CK technique T1550.001, which involves the use of valid credentials to gain access to systems, as attackers could potentially intercept and misuse GitHub tokens forwarded to unintended destinations. The flaw essentially creates a credential leakage scenario where a user's legitimate GitHub token could be sent to malicious or unintended servers, potentially allowing unauthorized access to repositories or systems that accept the credentials. The attack vector is particularly concerning because it requires no special privileges beyond having a valid GitHub token set in the environment, making it exploitable by any local user who has access to the system and has configured their GitHub credentials. The patch implemented in version 0.16.10 addresses this by introducing proper validation to ensure that authentication credentials are only applied when connecting to legitimate github.com repositories, thereby preventing the unintended credential exposure that previously occurred.