x/vulndb: potential Go vuln in github.com/cli/cli: GHSA-fqfh-778m-2v32

[GoVulnBot]

In GitHub Security Advisory GHSA-fqfh-778m-2v32, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/cli/cli/	1.2.1	< 1.2.1

See doc/triage.md for instructions on how to triage this report.

package: github.com/cli/cli/
versions:
  - introduced: v0.0.0
    fixed: v1.2.1
description: |-
    ### Impact
    GitHub CLI depends on a `git.exe` executable being found in system `%PATH%` on Windows. However, if a malicious `.\git.exe` or `.\git.bat` is found in the current working directory at the time of running `gh`, the malicious command will be invoked instead of the system one.

    Windows users who run `gh` inside untrusted directories are affected.

    ### Patches
    Users should upgrade to GitHub CLI v1.2.1.

    ### Workarounds
    Other than avoiding untrusted repositories, there is no workaround.

    ### References
    https://github.com/golang/go/issues/38736
published: 2022-02-11T23:41:11Z
last_modified: 2022-02-11T23:41:11Z
ghsas:
  - GHSA-fqfh-778m-2v32

[neild]

Vulnerability in tool.

[gopherbot]

Change https://go.dev/cl/592767 mentions this issue: data/reports: unexclude 50 reports

[gopherbot]

Change https://go.dev/cl/607217 mentions this issue: data/reports: unexclude 20 reports (15)