Recently, Git issued a security bulletin announcing a vulnerability that could reveal Git user credentials (CVE-2020-5260).
Git uses a credential assistant to help users store and retrieve credentials. However, when the URL contains encoded line breaks, it may inject unexpected values into the protocol flow of the credential helper. This will cause the malicious URL to trick the Git client to send the host credentials to the attacker. This vulnerability will be triggered when the affected Git version is used to execute the git clone command on a malicious URL.
Affected version
- Git 2.17.x <= 2.17.3
- Git 2.18.x <= 2.18.2
- Git 2.19.x <= 2.19.3
- Git 2.20.x <= 2.20.2
- Git 2.21.x <= 2.21.1
- Git 2.22.x <= 2.22.2
- Git 2.23.x <= 2.23.1
- Git 2.24.x <= 2.24.1
- Git 2.25.x <= 2.25.2
- Git 2.26.x <= 2.26.0
Unaffected version
- Git 2.17.4
- Git 2.18.3
- Git 2.19.4
- Git 2.20.3
- Git 2.21.2
- Git 2.22.3
- Git 2.23.2
- Git 2.24.2
- Git 2.25.3
- Git 2.26.1
Solution:
Users please upgrade to the unaffected version as soon as possible.
