CVE-2024-52006

Name of the Vulnerable Software and Affected Versions Git versions prior to v2.48.1 Git versions prior to v2.47.2 Git versions prior to v2.46.3 Git versions prior to v2.45.3 Git versions prior to v2.44.3 Git versions prior to v2.43.6 Git versions prior to v2.42.4 Git versions prior to v2.41.3 Git versions prior to v2.40.4

Description The issue is related to the Git credential protocol, which is text-based and consists of key-value pairs. A mismatch in newline treatment between Git and the Git Credential Manager (GCM) allows an attacker to craft a malicious remote URL. This can lead to the capture of credentials for another Git remote. The attack is heightened when cloning from repositories with submodules using the --recursive clone option.

Recommendations For versions prior to v2.48.1, upgrade to v2.48.1 or later. For versions prior to v2.47.2, upgrade to v2.47.2 or later. For versions prior to v2.46.3, upgrade to v2.46.3 or later. For versions prior to v2.45.3, upgrade to v2.45.3 or later. For versions prior to v2.44.3, upgrade to v2.44.3 or later. For versions prior to v2.43.6, upgrade to v2.43.6 or later. For versions prior to v2.42.4, upgrade to v2.42.4 or later. For versions prior to v2.41.3, upgrade to v2.41.3 or later. For versions prior to v2.40.4, upgrade to v2.40.4 or later. As a temporary workaround, consider avoiding cloning from untrusted URLs, especially recursive clones.