CVE-2024-50338

Name of the Vulnerable Software and Affected Versions Git Credential Manager versions prior to 2.6.1 Git for Windows versions prior to 2.47.1.2

Description The issue arises from a mismatch in newline character treatment between Git and Git Credential Manager (GCM). GCM considers LF, CRLF, and CR as valid line endings, whereas Git only considers LF and CRLF as newline characters. This discrepancy allows an attacker to craft a malicious remote URL, potentially capturing credentials for another Git remote when a user clones or interacts with a malicious repository. The attack is heightened when cloning from repositories with submodules using the --recursive clone option, as the user cannot inspect submodule remote URLs beforehand.

Recommendations Git Credential Manager versions prior to 2.6.1: Upgrade to version 2.6.1 or later to patch the issue. Git for Windows versions prior to 2.47.1.2: Upgrade to version 2.47.1.2 or later to patch the issue. Users unable to upgrade: Only interact with trusted remote repositories and avoid cloning with --recursive to allow inspection of submodule URLs before cloning.