CVE-2020-5260: Input Validation
First published: Tue Apr 14 2020(Updated: )
Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any host to a host of their choosing. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1.
Credit: Felix Wilhelm Google Project Zero security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ubuntu/git | <1:2.17.1-1ubuntu0.6 | 1:2.17.1-1ubuntu0.6 |
| ubuntu/git | <1:2.20.1-2ubuntu1.19.10.2 | 1:2.20.1-2ubuntu1.19.10.2 |
| ubuntu/git | <1:2.7.4-0ubuntu1.8 | 1:2.7.4-0ubuntu1.8 |
| <2.17.4 | ||
| >=2.22.0<2.22.3 | ||
| >=2.18.0<2.18.3 | ||
| >=2.19.0<2.19.4 | ||
| >=2.20.0<2.20.3 | ||
| >=2.21.0<2.21.2 | ||
| >=2.23.0<2.23.2 | ||
| >=2.24.0<2.24.2 | ||
| >=2.25.0<2.25.3 | ||
| >=2.26.0<2.26.1 | ||
| =16.04 | ||
| =18.04 | ||
| =19.10 | ||
| =8.0 | ||
| =9.0 | ||
| =10.0 | ||
| =30 | ||
| =31 | ||
| =32 | ||
| =15.1 | ||
| Git Git | <2.17.4 | |
| Git Git | >=2.22.0<2.22.3 | |
| Git-scm Git | >=2.18.0<2.18.3 | |
| Git-scm Git | >=2.19.0<2.19.4 | |
| Git-scm Git | >=2.20.0<2.20.3 | |
| Git-scm Git | >=2.21.0<2.21.2 | |
| Git-scm Git | >=2.23.0<2.23.2 | |
| Git-scm Git | >=2.24.0<2.24.2 | |
| Git-scm Git | >=2.25.0<2.25.3 | |
| Git-scm Git | >=2.26.0<2.26.1 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| Canonical Ubuntu Linux | =19.10 | |
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Fedoraproject Fedora | =30 | |
| Fedoraproject Fedora | =31 | |
| Fedoraproject Fedora | =32 | |
| openSUSE Leap | =15.1 | |
| Apple Xcode | <11.4.1 | 11.4.1 |
| debian/git | 1:2.20.1-2+deb10u3 1:2.20.1-2+deb10u8 1:2.30.2-1+deb11u2 1:2.39.2-1.1 1:2.43.0-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://support.apple.com/en-us/HT211141 (Advisory)
- https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q
- https://www.debian.org/security/2020/dsa-4657
- https://github.com/git/git/commit/9a6bbee8006c24b46a85d29e7b38cfa79e9ab21b
- https://lore.kernel.org/git/xmqqy2qy7xn8.fsf@gitster.c.googlers.com/
- https://support.apple.com/kb/HT211141
- http://packetstormsecurity.com/files/157250/Git-Credential-Helper-Protocol-Newline-Injection.html
- https://lists.debian.org/debian-lts-announce/2020/04/msg00010.html
- http://www.openwall.com/lists/oss-security/2020/04/15/5
- http://www.openwall.com/lists/oss-security/2020/04/15/6
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00027.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XPCEOIFLLEF24L6GLVJVFZX4CREDEHDF/
- http://www.openwall.com/lists/oss-security/2020/04/20/1
- https://security.gentoo.org/glsa/202004-13
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7TVS5UG6JD3MYIGSBKMIOS6AF7CR5IPI/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MOCTR2SEHCPSCOVUQJAGFPGKFMI2VE6V/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PN3FUOXKX3AXTULYV53ACABER2W2FSOU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74Q7WVJ6FKLIN62VS2JD2XCNWK5TNKOW/
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html
- https://usn.ubuntu.com/4329-1/
- https://launchpad.net/bugs/cve/CVE-2020-5260
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/74Q7WVJ6FKLIN62VS2JD2XCNWK5TNKOW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7TVS5UG6JD3MYIGSBKMIOS6AF7CR5IPI/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MOCTR2SEHCPSCOVUQJAGFPGKFMI2VE6V/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PN3FUOXKX3AXTULYV53ACABER2W2FSOU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XPCEOIFLLEF24L6GLVJVFZX4CREDEHDF/
- https://lore.kernel.org/git/xmqqy2qy7xn8.fsf%40gitster.c.googlers.com/
- https://lore.kernel.org/lkml/xmqqy2qy7xn8.fsf@gitster.c.googlers.com/
- https://git.kernel.org/pub/scm/git/git.git/commit/?id=9a6bbee8006c24b46a85d29e7b38cfa79e9ab21b
- https://git.kernel.org/pub/scm/git/git.git/commit/?id=17f1c0b8c7e447aa62f85dc355bb48133d2812f2
- https://git.kernel.org/pub/scm/git/git.git/commit/?id=c716fe4bd917e013bf376a678b3a924447777b2d
- https://git.kernel.org/pub/scm/git/git.git/commit/?id=07259e74ec1237c836874342c65650bdee8a3993
- https://bugs.chromium.org/p/project-zero/issues/detail?id=2021
- https://security-tracker.debian.org/tracker/CVE-2020-5260
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5260
- https://ubuntu.com/security/notices/USN-4329-1
- https://nvd.nist.gov/vuln/detail/CVE-2020-5260
- https://ubuntu.com/security/CVE-2020-5260
Frequently Asked Questions
What is CVE-2020-5260?
CVE-2020-5260 is a critical vulnerability in Git that allows private credentials to be sent to an attacker-controlled host.
Which versions of Git are affected by CVE-2020-5260?
The affected versions of Git include 2.20.1-2+deb10u3, 2.20.1-2+deb10u8, 2.30.2-1+deb11u2, 2.39.2-1.1, and 2.42.0-1.
How can Git be tricked into sending private credentials in CVE-2020-5260?
Git can be tricked into sending private credentials by using external "credential helper" programs and passing values with newline characters.
Is Apple Xcode affected by CVE-2020-5260?
Yes, Apple Xcode version 11.4.1 is affected by CVE-2020-5260.
Are there any remediation steps available for CVE-2020-5260 in Debian and Ubuntu?
Yes, there are remediation steps available for CVE-2020-5260 in Debian and Ubuntu, including specific package versions that need to be installed.
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/apple-support
- collector/launchpad-cve
- source/Launchpad
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/nvd-index
- collector/security-tracker-debian
- source/Debian
- collector/usn-cve
- source/Ubuntu
- vendor/apple
- canonical/apple xcode
- vendor/git
- canonical/git git
- version/git git/2.22.0
- vendor/git-scm
- canonical/git-scm git
- version/git-scm git/2.18.0
- version/git-scm git/2.19.0
- version/git-scm git/2.20.0
- version/git-scm git/2.21.0
- version/git-scm git/2.23.0
- version/git-scm git/2.24.0
- version/git-scm git/2.25.0
- version/git-scm git/2.26.0
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/18.04
- version/canonical ubuntu linux/19.10
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/30
- version/fedoraproject fedora/31
- version/fedoraproject fedora/32
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.1
- package-manager/debian
- package-manager/ubuntu