Git Releases Security Update With Newline Character Creating Possible Credential Leak
Git 2.26.1 along with new point releases going back to Git 2.17 were issued today as a result of a security issue.
A member of Google's Project Zero team discovered that a specially crafted URL could trick the Git client into sending credential information for an alternative host to an attacker's host.
In this case, the specially crafted URL just needs to contain a newline character (end of line control character) to fool the credential handling on existing Git releases to potentially sending the data off to an alternate host.
With today's emergency updates to Git, the credential protocol code is now rightfully forbidding newline characters in any values. With this vulnerability while it may be easy to spot a forged URL if running the Git clone yourself, this vulnerability was also exposed as part of Git sub-module handling and other operations relying on the credential helper.
This Git credential issue was tracked as CVE-2020-5260. So update Git to avoid this potential malicious disclosure of your Git server user credentials.
A member of Google's Project Zero team discovered that a specially crafted URL could trick the Git client into sending credential information for an alternative host to an attacker's host.
In this case, the specially crafted URL just needs to contain a newline character (end of line control character) to fool the credential handling on existing Git releases to potentially sending the data off to an alternate host.
With today's emergency updates to Git, the credential protocol code is now rightfully forbidding newline characters in any values. With this vulnerability while it may be easy to spot a forged URL if running the Git clone yourself, this vulnerability was also exposed as part of Git sub-module handling and other operations relying on the credential helper.
This Git credential issue was tracked as CVE-2020-5260. So update Git to avoid this potential malicious disclosure of your Git server user credentials.
Add A Comment