Vulnerabilities > CVE-2020-5260 - Insufficiently Protected Credentials vulnerability in multiple products
Summary
Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any host to a host of their choosing. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Session Sidejacking Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.
- Lifting credential(s)/key material embedded in client distributions (thick or thin) An attacker examines a target application's code or configuration files to find credential or key material that has been embedded within the application or its files. Many services require authentication with their users for the various purposes including billing, access control or attribution. Some client applications store the user's authentication credentials or keys to accelerate the login process. Some clients may have built-in keys or credentials (in which case the server is authenticating with the client, rather than the user). If the attacker is able to locate where this information is stored, they may be able to retrieve these credentials. The attacker could then use these stolen credentials to impersonate the user or client, respectively, in interactions with the service or use stolen keys to eavesdrop on nominally secure communications between the client and server.
- Password Recovery Exploitation An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure. Most of them use only one security question . For instance, mother's maiden name tends to be a fairly popular one. Unfortunately in many cases this information is not very hard to find, especially if the attacker knows the legitimate user. These generic security questions are also re-used across many applications, thus making them even more insecure. An attacker could for instance overhear a coworker talking to a bank representative at the work place and supplying their mother's maiden name for verification purposes. An attacker can then try to log in into one of the victim's accounts, click on "forgot password" and there is a good chance that the security question there will be to provide mother's maiden name. A weak password recovery scheme totally undermines the effectiveness of a strong password scheme.
Nessus
NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2020-105-01.NASL description New git packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues. last seen 2020-04-30 modified 2020-04-15 plugin id 135576 published 2020-04-15 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135576 title Slackware 14.0 / 14.1 / 14.2 / current : git (SSA:2020-105-01) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Slackware Security Advisory 2020-105-01. The text # itself is copyright (C) Slackware Linux, Inc. # include("compat.inc"); if (description) { script_id(135576); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/27"); script_cve_id("CVE-2020-5260"); script_xref(name:"SSA", value:"2020-105-01"); script_name(english:"Slackware 14.0 / 14.1 / 14.2 / current : git (SSA:2020-105-01)"); script_summary(english:"Checks for updated package in /var/log/packages"); script_set_attribute( attribute:"synopsis", value:"The remote Slackware host is missing a security update." ); script_set_attribute( attribute:"description", value: "New git packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues." ); # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2020&m=slackware-security.438101 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?9a38da02" ); script_set_attribute(attribute:"solution", value:"Update the affected git package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-5260"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:git"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.2"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/14"); script_set_attribute(attribute:"patch_publication_date", value:"2020/04/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/15"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Slackware Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("slackware.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware"); if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu); flag = 0; if (slackware_check(osver:"14.0", pkgname:"git", pkgver:"2.17.4", pkgarch:"i486", pkgnum:"1_slack14.0")) flag++; if (slackware_check(osver:"14.0", arch:"x86_64", pkgname:"git", pkgver:"2.17.4", pkgarch:"x86_64", pkgnum:"1_slack14.0")) flag++; if (slackware_check(osver:"14.1", pkgname:"git", pkgver:"2.17.4", pkgarch:"i486", pkgnum:"1_slack14.1")) flag++; if (slackware_check(osver:"14.1", arch:"x86_64", pkgname:"git", pkgver:"2.17.4", pkgarch:"x86_64", pkgnum:"1_slack14.1")) flag++; if (slackware_check(osver:"14.2", pkgname:"git", pkgver:"2.17.4", pkgarch:"i586", pkgnum:"1_slack14.2")) flag++; if (slackware_check(osver:"14.2", arch:"x86_64", pkgname:"git", pkgver:"2.17.4", pkgarch:"x86_64", pkgnum:"1_slack14.2")) flag++; if (slackware_check(osver:"current", pkgname:"git", pkgver:"2.26.1", pkgarch:"i586", pkgnum:"1")) flag++; if (slackware_check(osver:"current", arch:"x86_64", pkgname:"git", pkgver:"2.26.1", pkgarch:"x86_64", pkgnum:"1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2020-3_0-0086_GIT.NASL description An update of the git package has been released. last seen 2020-05-18 modified 2020-05-13 plugin id 136573 published 2020-05-13 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136573 title Photon OS 3.0: Git PHSA-2020-3.0-0086 NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-1511.NASL description The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:1511 advisory. - git: Crafted URL containing new lines can cause credential leak (CVE-2020-5260) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-04-23 modified 2020-04-21 plugin id 135770 published 2020-04-21 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135770 title RHEL 7 : git (RHSA-2020:1511) NASL family SuSE Local Security Checks NASL id SUSE_SU-2020-1121-1.NASL description This update for git fixes the following issues : Security issues fixed : CVE-2020-11008: Specially crafted URLs may have tricked the credentials helper to providing credential information that is not appropriate for the protocol in use and host being contacted (bsc#1169936) git was updated to 2.26.1 (bsc#1169786, jsc#ECO-1628, bsc#1149792) Fix git-daemon not starting after conversion from sysvinit to systemd service (bsc#1169605). CVE-2020-5260: Specially crafted URLs with newline characters could have been used to make the Git client to send credential information for a wrong host to the attacker last seen 2020-05-06 modified 2020-04-29 plugin id 136074 published 2020-04-29 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136074 title SUSE SLED15 / SLES15 Security Update : git (SUSE-SU-2020:1121-1) NASL family Amazon Linux Local Security Checks NASL id AL2_ALAS-2020-1409.NASL description With a crafted URL that contains a newline in it, the credential helper machinery can be fooled to give credential information for a wrong host. The attack has been made impossible by forbidding a newline character in any value passed via the credential protocol. (CVE-2020-5260) last seen 2020-04-30 modified 2020-04-16 plugin id 135594 published 2020-04-16 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135594 title Amazon Linux 2 : git (ALAS-2020-1409) NASL family SuSE Local Security Checks NASL id OPENSUSE-2020-598.NASL description This update for git fixes the following issues : Security issues fixed : - CVE-2020-11008: Specially crafted URLs may have tricked the credentials helper to providing credential information that is not appropriate for the protocol in use and host being contacted (bsc#1169936) git was updated to 2.26.1 (bsc#1169786, jsc#ECO-1628, bsc#1149792) - Fix git-daemon not starting after conversion from sysvinit to systemd service (bsc#1169605). - CVE-2020-5260: Specially crafted URLs with newline characters could have been used to make the Git client to send credential information for a wrong host to the attacker last seen 2020-05-08 modified 2020-05-04 plugin id 136311 published 2020-05-04 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136311 title openSUSE Security Update : git (openSUSE-2020-598) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1537.NASL description According to the versions of the git packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a last seen 2020-05-08 modified 2020-05-01 plugin id 136240 published 2020-05-01 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136240 title EulerOS Virtualization for ARM 64 3.0.2.0 : git (EulerOS-SA-2020-1537) NASL family Fedora Local Security Checks NASL id FEDORA_2020-4E093619BB.NASL description Security fix for CVE-2020-5260 and CVE-2020-11008 CVE-2020-5260 - From the upstream [release notes](https://www.kernel.org/pub/software/scm/git/docs/RelNotes/2.17. 4.txt) : > With a crafted URL that contains a newline in it, the credential > helper machinery can be fooled to give credential information for > a wrong host. The attack has been made impossible by forbidding > a newline character in any value passed via the credential > protocol. CVE-2020-11008 - From the upstream [release notes](https://www.kernel.org/pub/software/scm/git/docs/RelNotes/2.17. 5.txt): > With a crafted URL that contains a newline or empty host, or lacks > a scheme, the credential helper machinery can be fooled into > providing credential information that is not appropriate for the > protocol in use and host being contacted. > > Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the > credentials are not for a host of the attacker last seen 2020-05-08 modified 2020-05-01 plugin id 136211 published 2020-05-01 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136211 title Fedora 30 : git (2020-4e093619bb) NASL family Fedora Local Security Checks NASL id FEDORA_2020-CDEF88BB89.NASL description Security fix for CVE-2020-5260 From the upstream [release notes](https://www.kernel.org/pub/software/scm/git/docs/RelNotes/2.17. 4.txt) : > With a crafted URL that contains a newline in it, the credential > helper machinery can be fooled to give credential information for > a wrong host. The attack has been made impossible by forbidding > a newline character in any value passed via the credential > protocol. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-04-30 modified 2020-04-20 plugin id 135728 published 2020-04-20 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135728 title Fedora 31 : git (2020-cdef88bb89) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-1513.NASL description The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:1513 advisory. - git: Crafted URL containing new lines can cause credential leak (CVE-2020-5260) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-04-23 modified 2020-04-22 plugin id 135875 published 2020-04-22 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135875 title RHEL 8 : git (RHSA-2020:1513) NASL family SuSE Local Security Checks NASL id OPENSUSE-2020-524.NASL description This update for git fixes the following issues : - CVE-2020-5260: With a crafted URL that contains a newline in it, the credential helper machinery can be fooled to give credential information for a wrong host (bsc#1168930). This update was imported from the SUSE:SLE-15:Update update project. last seen 2020-04-30 modified 2020-04-20 plugin id 135749 published 2020-04-20 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135749 title openSUSE Security Update : git (openSUSE-2020-524) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1578.NASL description According to the version of the git packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. This bug is similar to CVE-2020-5260(GHSA-qm7j-c969-7j4q). The fix for that bug still left the door open for an exploit where _some_ credential is leaked (but the attacker cannot control which one). Git uses external last seen 2020-05-31 modified 2020-05-26 plugin id 136856 published 2020-05-26 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136856 title EulerOS 2.0 SP8 : git (EulerOS-SA-2020-1578) NASL family Amazon Linux Local Security Checks NASL id AL2_ALAS-2020-1416.NASL description Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. This bug is similar to CVE-2020-5260 (GHSA-qm7j-c969-7j4q). The fix for that bug still left the door open for an exploit where _some_ credential is leaked (but the attacker cannot control which one). Git uses external last seen 2020-05-12 modified 2020-05-07 plugin id 136360 published 2020-05-07 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136360 title Amazon Linux 2 : git (ALAS-2020-1416) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4657.NASL description Felix Wilhelm of Google Project Zero discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline, the credential helper machinery can be fooled to return credential information for a wrong host. last seen 2020-04-30 modified 2020-04-15 plugin id 135499 published 2020-04-15 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135499 title Debian DSA-4657-1 : git - security update NASL family Fedora Local Security Checks NASL id FEDORA_2020-F6B3B6FB18.NASL description Security fix for CVE-2020-5260 From the upstream [release notes](https://www.kernel.org/pub/software/scm/git/docs/RelNotes/2.17. 5.txt) : > With a crafted URL that contains a newline or empty host, or lacks > a scheme, the credential helper machinery can be fooled into > providing credential information that is not appropriate for the > protocol in use and host being contacted. > > Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the > credentials are not for a host of the attacker last seen 2020-05-03 modified 2020-04-27 plugin id 136001 published 2020-04-27 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136001 title Fedora 31 : git (2020-f6b3b6fb18) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1598.NASL description According to the versions of the git packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. This bug is similar to CVE-2020-5260(GHSA-qm7j-c969-7j4q). The fix for that bug still left the door open for an exploit where _some_ credential is leaked (but the attacker cannot control which one). Git uses external last seen 2020-06-06 modified 2020-06-02 plugin id 137016 published 2020-06-02 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/137016 title EulerOS 2.0 SP5 : git (EulerOS-SA-2020-1598) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_CED2D47E846911EAA283B42E99A1B9C3.NASL description git security advisory reports : Git uses external last seen 2020-06-10 modified 2020-06-05 plugin id 137168 published 2020-06-05 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/137168 title FreeBSD : malicious URLs may present credentials to wrong server (ced2d47e-8469-11ea-a283-b42e99a1b9c3) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2020-1_0-0291_GIT.NASL description An update of the git package has been released. last seen 2020-05-15 modified 2020-05-07 plugin id 136406 published 2020-05-07 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136406 title Photon OS 1.0: Git PHSA-2020-1.0-0291 NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2020-2_0-0236_GIT.NASL description An update of the git package has been released. last seen 2020-05-15 modified 2020-05-05 plugin id 136328 published 2020-05-05 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136328 title Photon OS 2.0: Git PHSA-2020-2.0-0236 NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-202004-13.NASL description The remote host is affected by the vulnerability described in GLSA-202004-13 (Git: Information disclosure) Multiple vulnerabilities have been discovered in Git. Please review the CVE identifiers referenced below for details. Impact : A remote attacker, by providing a specially crafted URL, could possibly trick Git into returning credential information for a wrong host. Workaround : Disabling credential helpers will prevent this vulnerability. last seen 2020-04-30 modified 2020-04-24 plugin id 135949 published 2020-04-24 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135949 title GLSA-202004-13 : Git: Information disclosure NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2020-1357.NASL description With a crafted URL that contains a newline in it, the credential helper machinery can be fooled to give credential information for a wrong host. The attack has been made impossible by forbidding a newline character in any value passed via the credential protocol.(CVE-2020-5260) last seen 2020-04-30 modified 2020-04-17 plugin id 135710 published 2020-04-17 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135710 title Amazon Linux AMI : git (ALAS-2020-1357) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2020-1511.NASL description From Red Hat Security Advisory 2020:1511 : The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:1511 advisory. - git: Crafted URL containing new lines can cause credential leak (CVE-2020-5260) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-06 modified 2020-04-24 plugin id 135952 published 2020-04-24 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135952 title Oracle Linux 7 : git (ELSA-2020-1511) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-1518.NASL description The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:1518 advisory. - git: Crafted URL containing new lines can cause credential leak (CVE-2020-5260) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-04-23 modified 2020-04-21 plugin id 135862 published 2020-04-21 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135862 title RHEL 8 : git (RHSA-2020:1518) NASL family Scientific Linux Local Security Checks NASL id SL_20200421_GIT_ON_SL7_X.NASL description Security Fix(es) : - git: Crafted URL containing new lines can cause credential leak (CVE-2020-5260) last seen 2020-05-15 modified 2020-04-22 plugin id 135886 published 2020-04-22 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135886 title Scientific Linux Security Update : git on SL7.x x86_64 (20200421) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-4329-1.NASL description Felix Wilhelm discovered that Git incorrectly handled certain URLs that included newlines. A remote attacker could possibly use this issue to trick Git into returning credential information for a wrong host. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-04-30 modified 2020-04-15 plugin id 135581 published 2020-04-15 reporter Ubuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135581 title Ubuntu 16.04 LTS / 18.04 LTS / 19.10 : git vulnerability (USN-4329-1) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2020-1511.NASL description The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:1511 advisory. - git: Crafted URL containing new lines can cause credential leak (CVE-2020-5260) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-06 modified 2020-05-01 plugin id 136197 published 2020-05-01 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136197 title CentOS 7 : git (CESA-2020:1511) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-2177.NASL description Felix Wilhelm of Google Project Zero discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline, the credential helper machinery can be fooled to return credential information for a wrong host. For Debian 8 last seen 2020-04-30 modified 2020-04-16 plugin id 135596 published 2020-04-16 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135596 title Debian DLA-2177-1 : git security update NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1503.NASL description According to the version of the git packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external last seen 2020-05-03 modified 2020-04-20 plugin id 135736 published 2020-04-20 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135736 title EulerOS 2.0 SP8 : git (EulerOS-SA-2020-1503) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2020-1513.NASL description From Red Hat Security Advisory 2020:1513 : The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:1513 advisory. - git: Crafted URL containing new lines can cause credential leak (CVE-2020-5260) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-04-30 modified 2020-04-24 plugin id 135954 published 2020-04-24 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135954 title Oracle Linux 8 : git (ELSA-2020-1513) NASL family SuSE Local Security Checks NASL id SUSE_SU-2020-0991-1.NASL description This update for git fixes the following issues : CVE-2020-5260: With a crafted URL that contains a newline in it, the credential helper machinery can be fooled to give credential information for a wrong host (bsc#1168930). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-04-30 modified 2020-04-15 plugin id 135579 published 2020-04-15 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135579 title SUSE SLED15 / SLES15 Security Update : git (SUSE-SU-2020:0991-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2020-1295-1.NASL description This update for git to 2.26.2 fixes the following issues : Security issue fixed : CVE-2020-11008: Specially crafted URLs may have tricked the credentials helper to providing credential information that is not appropriate for the protocol in use and host being contacted (bsc#1169936). Non-security issue fixed : Fixed git-daemon not starting after conversion from sysvinit to systemd service (bsc#1169605). Enabled access for git-daemon in firewall configuration (bsc#1170302). Fixed problems with recent switch to protocol v2, which caused fetches transferring unreasonable amount of data (bsc#1170741). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-31 modified 2020-05-22 plugin id 136789 published 2020-05-22 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136789 title SUSE SLES12 Security Update : git (SUSE-SU-2020:1295-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2020-0992-1.NASL description This update for git fixes the following issues : Security issue fixed : CVE-2020-5260: With a crafted URL that contains a newline in it, the credential helper machinery can be fooled to give credential information for a wrong host (bsc#1168930). Non-security issue fixed : git was updated to 2.26.0 for SHA256 support (bsc#1167890, jsc#SLE-11608): the xinetd snippet was removed the System V init script for the git-daemon was replaced by a systemd service file of the same name. git 2.26.0: last seen 2020-04-30 modified 2020-04-15 plugin id 135580 published 2020-04-15 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135580 title SUSE SLES12 Security Update : git (SUSE-SU-2020:0992-1)
Redhat
advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rpms |
|
References
- https://github.com/git/git/commit/9a6bbee8006c24b46a85d29e7b38cfa79e9ab21b
- https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q
- https://www.debian.org/security/2020/dsa-4657
- https://lists.debian.org/debian-lts-announce/2020/04/msg00010.html
- http://www.openwall.com/lists/oss-security/2020/04/15/5
- http://packetstormsecurity.com/files/157250/Git-Credential-Helper-Protocol-Newline-Injection.html
- http://www.openwall.com/lists/oss-security/2020/04/15/6
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00027.html
- https://support.apple.com/kb/HT211141
- http://www.openwall.com/lists/oss-security/2020/04/20/1
- https://security.gentoo.org/glsa/202004-13
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html
- https://usn.ubuntu.com/4329-1/
- https://lore.kernel.org/git/xmqqy2qy7xn8.fsf%40gitster.c.googlers.com/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XPCEOIFLLEF24L6GLVJVFZX4CREDEHDF/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7TVS5UG6JD3MYIGSBKMIOS6AF7CR5IPI/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PN3FUOXKX3AXTULYV53ACABER2W2FSOU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MOCTR2SEHCPSCOVUQJAGFPGKFMI2VE6V/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/74Q7WVJ6FKLIN62VS2JD2XCNWK5TNKOW/