Git Credential Disclosure Vulnerability (CVE-2020-5260)
Git issued a security bulletin announcing a vulnerability that could reveal Git user credentials (CVE-2020-5260). Git uses a credential helper to store and retrieve credentials.
But when a URL contains an encoded newline (%0a), it may inject unexpected values into the protocol stream of the credential helper. This vulnerability is triggered when the affected version of Git is used to execute a git clone command on a malicious URL.
Vulnerability ID
CVE-2020-5260
Vulnerability Name
Git credential disclosure vulnerability
Scope of Impact
Affected versions:
- Git 2.17.x <= 2.17.3
- Git 2.18.x <= 2.18.2
- Git 2.19.x <= 2.19.3
- Git 2.20.x <= 2.20.2
- Git 2.21.x <= 2.21.1
- Git 2.22.x <= 2.22.2
- Git 2.23.x <= 2.23.1
- Git 2.24.x <= 2.24.1
- Git 2.25.x <= 2.25.2
- Git 2.26.x <= 2.26.0
Unaffected versions:
- Git 2.17.4
- Git 2.18.3
- Git 2.19.4
- Git 2.20.3
- Git 2.21.2
- Git 2.22.3
- Git 2.23.2
- Git 2.24.2
- Git 2.25.3
- Git 2.26.1
Official Solution
This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the latest secure version.
Download address: https://github.com/git/git/releases
Suggestion
Perform the following steps to scan and fix a vulnerability.
- Detect and view vulnerability details, as shown in Manually starting a vulnerability scan. For details, see Viewing Vulnerability Details.
- Fix vulnerabilities and verify the result. For details, see Handling Vulnerabilities..
Other Protection Measures
If you cannot perform upgrade for the moment, you can take the following measures:
- Disable credential helper by running the following commands:
git config --unset credential.helper
git config --global --unset credential.helper
git config --system --unset credential.helper
- Be vigilant about malicious URLs.
- Examine the server name and username portion of URLs fed to git clone for the presence of encoded newlines (%0a) or evidence of credential-protocol injections (example: host=github.com).
- Avoid using submodules with untrusted repositories (do not use clone –recurse-submodules; use git submodule update only after examining the URLs found in gitmodules).
- Avoid tools which may run git clone.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.