GitHub CLI Artifact Attestation Verification Exit Code Mismanagement Vulnerability

A vulnerability exists in GitHub CLI's artifact attestation verification command, specifically in versions 2.49.0 prior to 2.67.0. Under certain conditions, the command `gh attestation verify` incorrectly returns a zero exit status when no matching attestations are found. This misrepresentation can lead users to believe that an attestation has been successfully verified, when in fact it has not. The issue arises when an artifact's attestation predicate type differs from the one specified in the command. Users relying on the exit code for verification may inadvertently deploy malicious artifacts in systems that use these exit codes to control deployment processes.

Impact

The vulnerability allows for incorrect verification of attestations, potentially leading to the deployment of unverified or malicious artifacts in environments that rely on GitHub CLI's attestation verification exit codes.

Reproduction

To reproduce this vulnerability, use GitHub CLI version 2.66.1 and run the `gh attestation verify` command with a predicate type that you know will not match any existing attestations. The command will return a zero exit code, indicating a false positive verification. This behavior can be confirmed by checking the exit code immediately after running the command, which will show 'Exit code: 0', despite the absence of a matching attestation.

Remediation

Users should update GitHub CLI to version 2.67.0, where this issue has been fixed.