{"containers": {"cna": {"affected": [{"product": "git", "vendor": "git", "versions": [{"status": "affected", "version": "< 2.17.5"}, {"status": "affected", "version": ">= 2.18.0, < 2.18.4"}, {"status": "affected", "version": ">= 2.19.0, 2.19.5"}, {"status": "affected", "version": ">= 2.20.0, < 2.20.4"}, {"status": "affected", "version": ">= 2.21.0, < 2.21.3"}, {"status": "affected", "version": ">= 2.22.0, < 2.22.4"}, {"status": "affected", "version": ">= 2.23.0, < 2.23.3"}, {"status": "affected", "version": ">= 2.24.0, < 2.24.3"}, {"status": "affected", "version": ">= 2.25.0, < 2.25.4"}, {"status": "affected", "version": ">= 2.26.0, < 2.26.2"}]}], "descriptions": [{"lang": "en", "value": "Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. This bug is similar to CVE-2020-5260(GHSA-qm7j-c969-7j4q). The fix for that bug still left the door open for an exploit where _some_ credential is leaked (but the attacker cannot control which one). Git uses external \"credential helper\" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that are considered illegal as of the recently published Git versions can cause Git to send a \"blank\" pattern to helpers, missing hostname and protocol fields. Many helpers will interpret this as matching _any_ URL, and will return some unspecified stored password, leaking the password to an attacker's server. The vulnerability can be triggered by feeding a malicious URL to `git clone`. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The root of the problem is in Git itself, which should not be feeding blank input to helpers. However, the ability to exploit the vulnerability in practice depends on which helpers are in use. Credential helpers which are known to trigger the vulnerability: - Git's \"store\" helper - Git's \"cache\" helper - the \"osxkeychain\" helper that ships in Git's \"contrib\" directory Credential helpers which are known to be safe even with vulnerable versions of Git: - Git Credential Manager for Windows Any helper not in this list should be assumed to trigger the vulnerability."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20: Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-05-22T18:06:08.000Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/git/git/security/advisories/GHSA-hjc9-x69f-jqj7"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/git/git/commit/c44088ecc4b0722636e0a305f9608d3047197282"}, {"name": "GLSA-202004-13", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202004-13"}, {"name": "[debian-lts-announce] 20200424 [SECURITY] [DLA 2182-1] git security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00015.html"}, {"name": "FEDORA-2020-f6b3b6fb18", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PN3FUOXKX3AXTULYV53ACABER2W2FSOU/"}, {"name": "FEDORA-2020-b2a2c830cf", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MOCTR2SEHCPSCOVUQJAGFPGKFMI2VE6V/"}, {"name": "USN-4334-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4334-1/"}, {"name": "FEDORA-2020-4e093619bb", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/74Q7WVJ6FKLIN62VS2JD2XCNWK5TNKOW/"}, {"name": "openSUSE-SU-2020:0598", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://support.apple.com/kb/HT211183"}, {"name": "20200522 APPLE-SA-2020-05-20-1 Xcode 11.5", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2020/May/41"}], "source": {"advisory": "GHSA-hjc9-x69f-jqj7", "discovery": "UNKNOWN"}, "title": "Malicious URLs can still cause Git to send a stored credential to the wrong server", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-11008", "STATE": "PUBLIC", "TITLE": "Malicious URLs can still cause Git to send a stored credential to the wrong server"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "git", "version": {"version_data": [{"version_value": "< 2.17.5"}, {"version_value": ">= 2.18.0, < 2.18.4"}, {"version_value": ">= 2.19.0, 2.19.5"}, {"version_value": ">= 2.20.0, < 2.20.4"}, {"version_value": ">= 2.21.0, < 2.21.3"}, {"version_value": ">= 2.22.0, < 2.22.4"}, {"version_value": ">= 2.23.0, < 2.23.3"}, {"version_value": ">= 2.24.0, < 2.24.3"}, {"version_value": ">= 2.25.0, < 2.25.4"}, {"version_value": ">= 2.26.0, < 2.26.2"}]}}]}, "vendor_name": "git"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. This bug is similar to CVE-2020-5260(GHSA-qm7j-c969-7j4q). The fix for that bug still left the door open for an exploit where _some_ credential is leaked (but the attacker cannot control which one). Git uses external \"credential helper\" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that are considered illegal as of the recently published Git versions can cause Git to send a \"blank\" pattern to helpers, missing hostname and protocol fields. Many helpers will interpret this as matching _any_ URL, and will return some unspecified stored password, leaking the password to an attacker's server. The vulnerability can be triggered by feeding a malicious URL to `git clone`. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The root of the problem is in Git itself, which should not be feeding blank input to helpers. However, the ability to exploit the vulnerability in practice depends on which helpers are in use. Credential helpers which are known to trigger the vulnerability: - Git's \"store\" helper - Git's \"cache\" helper - the \"osxkeychain\" helper that ships in Git's \"contrib\" directory Credential helpers which are known to be safe even with vulnerable versions of Git: - Git Credential Manager for Windows Any helper not in this list should be assumed to trigger the vulnerability."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20: Improper Input Validation"}]}]}, "references": {"reference_data": [{"name": "https://github.com/git/git/security/advisories/GHSA-hjc9-x69f-jqj7", "refsource": "CONFIRM", "url": "https://github.com/git/git/security/advisories/GHSA-hjc9-x69f-jqj7"}, {"name": "https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q", "refsource": "MISC", "url": "https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q"}, {"name": "https://github.com/git/git/commit/c44088ecc4b0722636e0a305f9608d3047197282", "refsource": "MISC", "url": "https://github.com/git/git/commit/c44088ecc4b0722636e0a305f9608d3047197282"}, {"name": "GLSA-202004-13", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202004-13"}, {"name": "[debian-lts-announce] 20200424 [SECURITY] [DLA 2182-1] git security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00015.html"}, {"name": "FEDORA-2020-f6b3b6fb18", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PN3FUOXKX3AXTULYV53ACABER2W2FSOU/"}, {"name": "FEDORA-2020-b2a2c830cf", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MOCTR2SEHCPSCOVUQJAGFPGKFMI2VE6V/"}, {"name": "USN-4334-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4334-1/"}, {"name": "FEDORA-2020-4e093619bb", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74Q7WVJ6FKLIN62VS2JD2XCNWK5TNKOW/"}, {"name": "openSUSE-SU-2020:0598", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html"}, {"name": "https://support.apple.com/kb/HT211183", "refsource": "CONFIRM", "url": "https://support.apple.com/kb/HT211183"}, {"name": "20200522 APPLE-SA-2020-05-20-1 Xcode 11.5", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2020/May/41"}]}, "source": {"advisory": "GHSA-hjc9-x69f-jqj7", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T11:21:14.528Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/git/git/security/advisories/GHSA-hjc9-x69f-jqj7"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/git/git/commit/c44088ecc4b0722636e0a305f9608d3047197282"}, {"name": "GLSA-202004-13", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202004-13"}, {"name": "[debian-lts-announce] 20200424 [SECURITY] [DLA 2182-1] git security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00015.html"}, {"name": "FEDORA-2020-f6b3b6fb18", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PN3FUOXKX3AXTULYV53ACABER2W2FSOU/"}, {"name": "FEDORA-2020-b2a2c830cf", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MOCTR2SEHCPSCOVUQJAGFPGKFMI2VE6V/"}, {"name": "USN-4334-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4334-1/"}, {"name": "FEDORA-2020-4e093619bb", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/74Q7WVJ6FKLIN62VS2JD2XCNWK5TNKOW/"}, {"name": "openSUSE-SU-2020:0598", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://support.apple.com/kb/HT211183"}, {"name": "20200522 APPLE-SA-2020-05-20-1 Xcode 11.5", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2020/May/41"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-11008", "datePublished": "2020-04-21T18:40:13.000Z", "dateReserved": "2020-03-30T00:00:00.000Z", "dateUpdated": "2024-08-04T11:21:14.528Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "A186DC51-DE8D-4CDB-BEAD-475935A09B26", "versionEndExcluding": "2.17.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "58AE7EAD-B185-4A6A-B0E9-9D8524C60072", "versionEndExcluding": "2.18.4", "versionStartIncluding": "2.18.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "C84AEEBC-8FBB-467E-B27F-AE89A976A2B8", "versionEndExcluding": "2.19.5", "versionStartIncluding": "2.19.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "E576EE5A-19AE-4DA8-B68D-E7FEC317A737", "versionEndExcluding": "2.20.4", "versionStartIncluding": "2.20.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "A3C2AA1C-4CDC-4DF7-9BFC-07313AF87903", "versionEndExcluding": "2.21.3", "versionStartIncluding": "2.21.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "75C66031-DF10-41CE-8A96-60BEFDE87B38", "versionEndExcluding": "2.22.4", "versionStartIncluding": "2.22.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "34A96F37-0E8A-4C56-BF7A-0987E18F7BFB", "versionEndExcluding": "2.23.3", "versionStartIncluding": "2.23.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "5FCA2D68-889E-4358-AF00-D94D7117DB5A", "versionEndExcluding": "2.24.3", "versionStartIncluding": "2.24.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "76FA3125-7826-4480-A06E-B81940FD22E1", "versionEndExcluding": "2.25.4", "versionStartIncluding": "2.25.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "8318D40D-AD16-461E-9D25-AC0069864832", "versionEndExcluding": "2.26.2", "versionStartIncluding": "2.26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*", "matchCriteriaId": "A31C8344-3E02-4EB8-8BD8-4C84B7959624", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. This bug is similar to CVE-2020-5260(GHSA-qm7j-c969-7j4q). The fix for that bug still left the door open for an exploit where _some_ credential is leaked (but the attacker cannot control which one). Git uses external \"credential helper\" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that are considered illegal as of the recently published Git versions can cause Git to send a \"blank\" pattern to helpers, missing hostname and protocol fields. Many helpers will interpret this as matching _any_ URL, and will return some unspecified stored password, leaking the password to an attacker's server. The vulnerability can be triggered by feeding a malicious URL to `git clone`. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The root of the problem is in Git itself, which should not be feeding blank input to helpers. However, the ability to exploit the vulnerability in practice depends on which helpers are in use. Credential helpers which are known to trigger the vulnerability: - Git's \"store\" helper - Git's \"cache\" helper - the \"osxkeychain\" helper that ships in Git's \"contrib\" directory Credential helpers which are known to be safe even with vulnerable versions of Git: - Git Credential Manager for Windows Any helper not in this list should be assumed to trigger the vulnerability."}, {"lang": "es", "value": "Las versiones afectadas de Git tienen una vulnerabilidad por la que Git puede ser enga\u00f1ado para que env\u00ede credenciales privadas a un host controlado por un atacante. Este fallo es similar al CVE-2020-5260 (GHSA-qm7j-c969-7j4q). La correcci\u00f3n de ese bug todav\u00eda deja la puerta abierta para una explotaci\u00f3n donde se filtra la credencial de _some_ (pero el atacante no puede controlar cu\u00e1l). Git utiliza programas externos de \"credential helper\" para almacenar y recuperar contrase\u00f1as u otras credenciales desde el almacenamiento seguro proporcionado por el sistema operativo. Las URLs especialmente dise\u00f1adas que se consideran ilegales a partir de las versiones de Git recientemente publicadas pueden hacer que Git env\u00ede un patr\u00f3n \"blank\" a los asistentes, faltando los campos hostname y protocol. Muchos asistentes interpretar\u00e1n esto como una coincidencia con la URL _any_, y devolver\u00e1n alguna contrase\u00f1a almacenada sin especificar, filtrando la contrase\u00f1a hacia el servidor de un atacante. La vulnerabilidad puede ser desencadenada alimentando una URL maliciosa a \"git clone\". Sin embargo, las URLs afectadas parecen bastante sospechosas; el vector probable ser\u00eda por medio de sistemas que clonan autom\u00e1ticamente las URLs no visibles para el usuario, tales como los subm\u00f3dulos de Git, o sistemas de paquetes construidos alrededor de Git. La ra\u00edz del problema est\u00e1 en el propio Git, que no deber\u00eda estar alimentando con entradas en blanco a los asistentes. Sin embargo, la capacidad de explotar la vulnerabilidad en la pr\u00e1ctica depende de los asistentes que se utilicen. Los asistentes con credenciales que se sabe que desencadenan la vulnerabilidad: - El asistente \"store\" de Git - El asistente \"cache\" de Git - El asistente \"osxkeychain\" que se incluye en los asistentes de Credenciales del directorio \"contrib\" de Git que se conoce que son seguros incluso con versiones vulnerables de Git: - Cualquier asistente de Git Credential Manager para Windows que no est\u00e9 en esta lista, se debe asumir que desencadena la vulnerabilidad."}], "id": "CVE-2020-11008", "lastModified": "2024-11-21T04:56:34.263", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-04-21T19:15:13.457", "references": [{"source": "security-advisories@github.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html"}, {"source": "security-advisories@github.com", "url": "http://seclists.org/fulldisclosure/2020/May/41"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/git/git/commit/c44088ecc4b0722636e0a305f9608d3047197282"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/git/git/security/advisories/GHSA-hjc9-x69f-jqj7"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Patch", "Third Party Advisory"], "url": "https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q"}, {"source": "security-advisories@github.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00015.html"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/74Q7WVJ6FKLIN62VS2JD2XCNWK5TNKOW/"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MOCTR2SEHCPSCOVUQJAGFPGKFMI2VE6V/"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PN3FUOXKX3AXTULYV53ACABER2W2FSOU/"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202004-13"}, {"source": "security-advisories@github.com", "url": "https://support.apple.com/kb/HT211183"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4334-1/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2020/May/41"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/git/git/commit/c44088ecc4b0722636e0a305f9608d3047197282"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/git/git/security/advisories/GHSA-hjc9-x69f-jqj7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Patch", "Third Party Advisory"], "url": "https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00015.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/74Q7WVJ6FKLIN62VS2JD2XCNWK5TNKOW/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MOCTR2SEHCPSCOVUQJAGFPGKFMI2VE6V/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PN3FUOXKX3AXTULYV53ACABER2W2FSOU/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202004-13"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://support.apple.com/kb/HT211183"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4334-1/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the Git project for reporting this issue. Upstream acknowledges Carlo Arenas as the original reporter.", "affected_release": [{"advisory": "RHSA-2020:2337", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "git-0:1.8.3.1-23.el7_8", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2020-05-28T00:00:00Z"}, {"advisory": "RHSA-2020:3581", "cpe": "cpe:/o:redhat:rhel_eus:7.7", "package": "git-0:1.8.3.1-23.el7_7", "product_name": "Red Hat Enterprise Linux 7.7 Extended Update Support", "release_date": "2020-08-31T00:00:00Z"}, {"advisory": "RHSA-2020:1980", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "git-0:2.18.4-2.el8_2", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-30T00:00:00Z"}, {"advisory": "RHSA-2020:1978", "cpe": "cpe:/a:redhat:rhel_e4s:8.0", "package": "git-0:2.18.4-1.el8_0", "product_name": "Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions", "release_date": "2020-04-30T00:00:00Z"}, {"advisory": "RHSA-2020:1979", "cpe": "cpe:/a:redhat:rhel_eus:8.1", "package": "git-0:2.18.4-1.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Extended Update Support", "release_date": "2020-04-30T00:00:00Z"}, {"advisory": "RHSA-2020:1975", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-git218-git-0:2.18.4-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2020-04-29T00:00:00Z"}, {"advisory": "RHSA-2020:1975", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-git218-git-0:2.18.4-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2020-04-29T00:00:00Z"}, {"advisory": "RHSA-2020:1975", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-git218-git-0:2.18.4-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2020-04-29T00:00:00Z"}], "bugzilla": {"description": "git: Crafted URL containing new lines, empty host or lacks a scheme can cause credential leak", "id": "1826001", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1826001"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-20", "details": ["Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. This bug is similar to CVE-2020-5260(GHSA-qm7j-c969-7j4q). The fix for that bug still left the door open for an exploit where _some_ credential is leaked (but the attacker cannot control which one). Git uses external \"credential helper\" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that are considered illegal as of the recently published Git versions can cause Git to send a \"blank\" pattern to helpers, missing hostname and protocol fields. Many helpers will interpret this as matching _any_ URL, and will return some unspecified stored password, leaking the password to an attacker's server. The vulnerability can be triggered by feeding a malicious URL to `git clone`. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The root of the problem is in Git itself, which should not be feeding blank input to helpers. However, the ability to exploit the vulnerability in practice depends on which helpers are in use. Credential helpers which are known to trigger the vulnerability: - Git's \"store\" helper - Git's \"cache\" helper - the \"osxkeychain\" helper that ships in Git's \"contrib\" directory Credential helpers which are known to be safe even with vulnerable versions of Git: - Git Credential Manager for Windows Any helper not in this list should be assumed to trigger the vulnerability.", "A flaw was found in git where credentials can be leaked through the use of a crafted URL. The crafted URL must contain a newline, empty host, or lack a scheme so that the credential helper is fulled into giving the information of a different host to the client. The highest threat from this vulnerability is to data confidentiality."], "mitigation": {"lang": "en:us", "value": "The most complete workaround is to disable credential helpers altogether:\n~~~\ngit config --unset credential.helper\ngit config --global --unset credential.helper\ngit config --system --unset credential.helper\n~~~\nAn alternative is to avoid malicious URLs:\n1. Examine the hostname and username portion of URLs fed to git clone or git fetch for the presence of encoded newlines (%0A) or syntactic oddities (e.g., http:///host with three slashes).\n2. Avoid using submodules with untrusted repositories (don't use git clone --recurse-submodules; use git submodule update only after examining the URLs found in .gitmodules).\n3. Avoid tools which may run git clone on untrusted URLs under the hood.\n4. Avoid using the credential helper by only cloning publicly available repositories."}, "name": "CVE-2020-11008", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "git", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2020-04-20T18:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-11008\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-11008\nhttps://github.com/git/git/security/advisories/GHSA-hjc9-x69f-jqj7\nhttps://lore.kernel.org/git/xmqq4kterq5s.fsf@gitster.c.googlers.com/"], "statement": "Red Hat Enterprise Linux 6 is not affected by this flaw as the vulnerable version of git, version 1.7.9-rc0 and later, was never made available for this product.", "threat_severity": "Important"}

{}