Updated on 2024-09-23 GMT+08:00

Git Credential Disclosure Vulnerability (CVE-2020-5260)

Git issued a security bulletin announcing a vulnerability that could reveal Git user credentials (CVE-2020-5260). Git uses a credential helper to store and retrieve credentials.

But when a URL contains an encoded newline (%0a), it may inject unexpected values into the protocol stream of the credential helper. This vulnerability is triggered when the affected version of Git is used to execute a git clone command on a malicious URL.

Vulnerability ID

CVE-2020-5260

Vulnerability Name

Git credential disclosure vulnerability

Scope of Impact

Affected versions:

  • Git 2.17.x <= 2.17.3
  • Git 2.18.x <= 2.18.2
  • Git 2.19.x <= 2.19.3
  • Git 2.20.x <= 2.20.2
  • Git 2.21.x <= 2.21.1
  • Git 2.22.x <= 2.22.2
  • Git 2.23.x <= 2.23.1
  • Git 2.24.x <= 2.24.1
  • Git 2.25.x <= 2.25.2
  • Git 2.26.x <= 2.26.0

Unaffected versions:

  • Git 2.17.4
  • Git 2.18.3
  • Git 2.19.4
  • Git 2.20.3
  • Git 2.21.2
  • Git 2.22.3
  • Git 2.23.2
  • Git 2.24.2
  • Git 2.25.3
  • Git 2.26.1

Official Solution

This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the latest secure version.

Download address: https://github.com/git/git/releases

Suggestion

Perform the following steps to scan and fix a vulnerability.

  1. Detect and view vulnerability details, as shown in Manually starting a vulnerability scan. For details, see Viewing Vulnerability Details.

    Figure 1 Manually starting a vulnerability scan

  2. Fix vulnerabilities and verify the result. For details, see Handling Vulnerabilities..

Other Protection Measures

If you cannot perform upgrade for the moment, you can take the following measures:

  • Disable credential helper by running the following commands:

    git config --unset credential.helper

    git config --global --unset credential.helper

    git config --system --unset credential.helper

  • Be vigilant about malicious URLs.
    1. Examine the server name and username portion of URLs fed to git clone for the presence of encoded newlines (%0a) or evidence of credential-protocol injections (example: host=github.com).
    2. Avoid using submodules with untrusted repositories (do not use clone –recurse-submodules; use git submodule update only after examining the URLs found in gitmodules).
    3. Avoid tools which may run git clone.