Git Credential Disclosure Vulnerability (CVE-2020-5260)
Git issued a security bulletin announcing a vulnerability that could reveal Git user credentials (CVE-2020-5260). Git uses a credential helper to store and retrieve credentials.
But when a URL contains an encoded newline (%0a), it may inject unexpected values into the protocol stream of the credential helper. This vulnerability is triggered when the affected version of Git is used to execute a git clone command on a malicious URL.
Git credential disclosure vulnerability
Scope of Impact
- Git 2.17.x <= 2.17.3
- Git 2.18.x <= 2.18.2
- Git 2.19.x <= 2.19.3
- Git 2.20.x <= 2.20.2
- Git 2.21.x <= 2.21.1
- Git 2.22.x <= 2.22.2
- Git 2.23.x <= 2.23.1
- Git 2.24.x <= 2.24.1
- Git 2.25.x <= 2.25.2
- Git 2.26.x <= 2.26.0
- Git 2.17.4
- Git 2.18.3
- Git 2.19.4
- Git 2.20.3
- Git 2.21.2
- Git 2.22.3
- Git 2.23.2
- Git 2.24.2
- Git 2.25.3
- Git 2.26.1
This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the latest secure version.
Download address: https://github.com/git/git/releases
Perform the following steps to scan and fix a vulnerability.
- Scan and view details of a vulnerability, as shown in Figure 1. For details, see Viewing Details of a Vulnerability.
- Fix vulnerabilities and verify the result. For details, see Fixing Vulnerabilities and Verifying the Result.
Other Protection Measures
If you cannot perform upgrade for the moment, you can take the following measures:
- Disable credential helper by running the following commands:
git config --unset credential.helper
git config --global --unset credential.helper
git config --system --unset credential.helper
- Be vigilant about malicious URLs.
- Examine the server name and username portion of URLs fed to git clone for the presence of encoded newlines (%0a) or evidence of credential-protocol injections (example: host=github.com).
- Avoid using submodules with untrusted repositories (do not use clone –recurse-submodules; use git submodule update only after examining the URLs found in gitmodules).
- Avoid tools which may run git clone.
Was this page helpful?Provide feedback
For any further questions, feel free to contact us through the chatbot.Chatbot