September 25, 2020

CVE-2020-5260: Git Credential Disclosure Vulnerability Alert

1 min read

Recently, Git issued a security bulletin announcing a vulnerability that could reveal Git user credentials (CVE-2020-5260).

Git uses a credential helper to help users store and retrieve credentials. But when a URL contains an encoded newline, it may inject unexpected values ​​into the protocol stream of the credential helper. This will cause the malicious URL to trick the Git client to send host credentials to the attacker. This vulnerability is triggered when the affected version of Git is used to execute a git clone command on a malicious URL.

Affected version

  • Git 2.17.x <= 2.17.3
  • Git 2.18.x <= 2.18.2
  • Git 2.19.x <= 2.19.3
  • Git 2.20.x <= 2.20.2
  • Git 2.21.x <= 2.21.1
  • Git 2.22.x <= 2.22.2
  • Git 2.23.x <= 2.23.1
  • Git 2.24.x <= 2.24.1
  • Git 2.25.x <= 2.25.2
  • Git 2.26.x <= 2.26.0

Unaffected version

  • Git 2.17.4
  • Git 2.18.3
  • Git 2.19.4
  • Git 2.20.3
  • Git 2.21.2
  • Git 2.22.3
  • Git 2.23.2
  • Git 2.24.2
  • Git 2.25.3
  • Git 2.26.1

Solution

The user please to upgrade to the unaffected version as soon as possible.