CVE-2024-50349

Name of the Vulnerable Software and Affected Versions Git versions prior to v2.48.1 Git versions prior to v2.47.2 Git versions prior to v2.46.3 Git versions prior to v2.45.3 Git versions prior to v2.44.3 Git versions prior to v2.43.6 Git versions prior to v2.42.4 Git versions prior to v2.41.3 Git versions prior to v2.40.4

Description The issue is related to the ANSI Escape Sequence Handler component in Git, which is a distributed revision control system. It allows attackers to craft URLs containing ANSI escape sequences that can confuse users into providing passwords for trusted Git hosting sites, which are then sent to untrusted sites under the attacker's control. This is possible because Git prints the host name for which the user is expected to provide a username and/or a password via a terminal prompt without using any credential helper, and any URL-encoded parts have been decoded already and are printed verbatim.

Recommendations For Git versions prior to v2.48.1, upgrade to v2.48.1 or later. For Git versions prior to v2.47.2, upgrade to v2.47.2 or later. For Git versions prior to v2.46.3, upgrade to v2.46.3 or later. For Git versions prior to v2.45.3, upgrade to v2.45.3 or later. For Git versions prior to v2.44.3, upgrade to v2.44.3 or later. For Git versions prior to v2.43.6, upgrade to v2.43.6 or later. For Git versions prior to v2.42.4, upgrade to v2.42.4 or later. For Git versions prior to v2.41.3, upgrade to v2.41.3 or later. For Git versions prior to v2.40.4, upgrade to v2.40.4 or later. As a temporary workaround, users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones.