CVE-2020-5260

Name of the Vulnerable Software and Affected Versions Git versions prior to 2.17.4 Git versions prior to 2.18.3 Git versions prior to 2.19.4 Git versions prior to 2.20.3 Git versions prior to 2.21.2 Git versions prior to 2.22.3 Git versions prior to 2.23.2 Git versions prior to 2.24.2 Git versions prior to 2.25.3 Git versions prior to 2.26.1

Description The issue arises from insufficient input validation in Git's "credential helper" component, allowing an attacker to trick Git into sending private credentials to a host controlled by the attacker. This can be achieved by crafting a specially formatted URL containing an encoded newline, which injects unintended values into the credential helper protocol stream. As a result, the credential helper may retrieve the password for one server and send it to another server, potentially leading to unauthorized access to protected information. The vulnerability can be triggered by feeding a malicious URL to git clone, and the likely vector would be through systems that automatically clone URLs not visible to the user, such as Git submodules or package systems built around Git.

Recommendations For versions prior to 2.17.4, update to version 2.17.4 or later. For versions prior to 2.18.3, update to version 2.18.3 or later. For versions prior to 2.19.4, update to version 2.19.4 or later. For versions prior to 2.20.3, update to version 2.20.3 or later. For versions prior to 2.21.2, update to version 2.21.2 or later. For versions prior to 2.22.3, update to version 2.22.3 or later. For versions prior to 2.23.2, update to version 2.23.2 or later. For versions prior to 2.24.2, update to version 2.24.2 or later. For versions prior to 2.25.3, update to version 2.25.3 or later. For versions prior to 2.26.1, update to version 2.26.1 or later. As a temporary workaround, consider disabling the credential.helper function until a patch is available. Restrict access to the vulnerable credential.helper module to minimize the risk of exploitation. Avoid using the credential.helper protocol with suspicious URLs until the issue is resolved.