CWE
522 20
Advisory Published
CVE Published
Updated

CVE-2020-5260: malicious URLs may cause Git to present stored credentials to the wrong server

First published: Tue Apr 14 2020(Updated: )

Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any host to a host of their choosing. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1.

Credit: Felix Wilhelm Google Project Zero security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Apple Xcode<11.4.1
11.4.1
Git Git<2.17.4
Git Git>=2.22.0<2.22.3
Git-scm Git>=2.18.0<2.18.3
Git-scm Git>=2.19.0<2.19.4
Git-scm Git>=2.20.0<2.20.3
Git-scm Git>=2.21.0<2.21.2
Git-scm Git>=2.23.0<2.23.2
Git-scm Git>=2.24.0<2.24.2
Git-scm Git>=2.25.0<2.25.3
Git-scm Git>=2.26.0<2.26.1
Canonical Ubuntu Linux=16.04
Canonical Ubuntu Linux=18.04
Canonical Ubuntu Linux=19.10
Debian Debian Linux=8.0
Debian Debian Linux=9.0
Debian Debian Linux=10.0
Fedoraproject Fedora=30
Fedoraproject Fedora=31
Fedoraproject Fedora=32
openSUSE Leap=15.1
ubuntu/git<1:2.17.1-1ubuntu0.6
1:2.17.1-1ubuntu0.6
ubuntu/git<1:2.20.1-2ubuntu1.19.10.2
1:2.20.1-2ubuntu1.19.10.2
ubuntu/git<1:2.7.4-0ubuntu1.8
1:2.7.4-0ubuntu1.8
debian/git
1:2.30.2-1+deb11u2
1:2.39.2-1.1
1:2.43.0-1
1:2.45.2-1

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Peer vulnerabilities

(Found alongside the following vulnerabilities)

Frequently Asked Questions

  • What is CVE-2020-5260?

    CVE-2020-5260 is a critical vulnerability in Git that allows private credentials to be sent to an attacker-controlled host.

  • Which versions of Git are affected by CVE-2020-5260?

    The affected versions of Git include 2.20.1-2+deb10u3, 2.20.1-2+deb10u8, 2.30.2-1+deb11u2, 2.39.2-1.1, and 2.42.0-1.

  • How can Git be tricked into sending private credentials in CVE-2020-5260?

    Git can be tricked into sending private credentials by using external "credential helper" programs and passing values with newline characters.

  • Is Apple Xcode affected by CVE-2020-5260?

    Yes, Apple Xcode version 11.4.1 is affected by CVE-2020-5260.

  • Are there any remediation steps available for CVE-2020-5260 in Debian and Ubuntu?

    Yes, there are remediation steps available for CVE-2020-5260 in Debian and Ubuntu, including specific package versions that need to be installed.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203