CVE-2020-11008

Name of the Vulnerable Software and Affected Versions Git versions prior to 2.26.2 Git versions prior to 2.25.4 Git versions prior to 2.24.3 Git versions prior to 2.23.3 Git versions prior to 2.22.4 Git versions prior to 2.21.3 Git versions prior to 2.20.4 Git versions prior to 2.19.5 Git versions prior to 2.18.4 Git versions prior to 2.17.5

Description The issue is related to Git's "credential helper" programs, which can be tricked into sending private credentials to a host controlled by an attacker. This can be achieved by feeding a malicious URL to git clone, potentially through systems that automatically clone URLs, such as Git submodules or package systems built around Git. The vulnerability can be triggered by specially-crafted URLs that are considered illegal, causing Git to send a "blank" pattern to helpers, which may interpret this as matching any URL and return some unspecified stored password. The estimated number of potentially affected devices is not provided.

Recommendations For Git versions prior to 2.26.2, update to version 2.26.2 or later. For Git versions prior to 2.25.4, update to version 2.25.4 or later. For Git versions prior to 2.24.3, update to version 2.24.3 or later. For Git versions prior to 2.23.3, update to version 2.23.3 or later. For Git versions prior to 2.22.4, update to version 2.22.4 or later. For Git versions prior to 2.21.3, update to version 2.21.3 or later. For Git versions prior to 2.20.4, update to version 2.20.4 or later. For Git versions prior to 2.19.5, update to version 2.19.5 or later. For Git versions prior to 2.18.4, update to version 2.18.4 or later. For Git versions prior to 2.17.5, update to version 2.17.5 or later. As a temporary workaround, consider disabling the store helper, cache helper, or osxkeychain helper until a patch is available. Restrict access to the vulnerable credential.helper module to minimize the risk of exploitation. Avoid using the credential.helper module with vulnerable versions of Git until the issue is resolved.