[GHSA-p2h2-3vg9-4p87] Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer

[dernorberto]

Updates

• Description

Comments
Hi there! The CPE for this vulnerability is cpe:2.3:a:github:cli:*:*:*:*:*:*:*:*, but the application is called gh. CVE/software-matching tools (e.g. FleetDM) will find the gh app but won't assign this CVE.
As a CNA, you could you update the CPE to include cpe:2.3:a:github:gh:*:*:*:*:*:*:*:*.

[github]

Hi there @andyfeller! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[darakian]

Hey @dernorberto, that cpe string looks like it was added by nvd and not by us
https://nvd.nist.gov/vuln/detail/CVE-2024-52308#VulnChangeHistorySection
You'll need to reach out to them to adjust it.