Vulnerabilities > CVE-2020-5260 - Insufficiently Protected Credentials vulnerability in multiple products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE

Summary

Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any host to a host of their choosing. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1.

Vulnerable Configurations

Part Description Count
Application
Git
158
Application
Git-Scm
42
OS
Debian
3
OS
Canonical
3
OS
Fedoraproject
3
OS
Opensuse
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Session Sidejacking
    Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.
  • Lifting credential(s)/key material embedded in client distributions (thick or thin)
    An attacker examines a target application's code or configuration files to find credential or key material that has been embedded within the application or its files. Many services require authentication with their users for the various purposes including billing, access control or attribution. Some client applications store the user's authentication credentials or keys to accelerate the login process. Some clients may have built-in keys or credentials (in which case the server is authenticating with the client, rather than the user). If the attacker is able to locate where this information is stored, they may be able to retrieve these credentials. The attacker could then use these stolen credentials to impersonate the user or client, respectively, in interactions with the service or use stolen keys to eavesdrop on nominally secure communications between the client and server.
  • Password Recovery Exploitation
    An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure. Most of them use only one security question . For instance, mother's maiden name tends to be a fairly popular one. Unfortunately in many cases this information is not very hard to find, especially if the attacker knows the legitimate user. These generic security questions are also re-used across many applications, thus making them even more insecure. An attacker could for instance overhear a coworker talking to a bank representative at the work place and supplying their mother's maiden name for verification purposes. An attacker can then try to log in into one of the victim's accounts, click on "forgot password" and there is a good chance that the security question there will be to provide mother's maiden name. A weak password recovery scheme totally undermines the effectiveness of a strong password scheme.

Nessus

  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2020-105-01.NASL
    descriptionNew git packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.
    last seen2020-04-30
    modified2020-04-15
    plugin id135576
    published2020-04-15
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135576
    titleSlackware 14.0 / 14.1 / 14.2 / current : git (SSA:2020-105-01)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Slackware Security Advisory 2020-105-01. The text 
    # itself is copyright (C) Slackware Linux, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(135576);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/27");
    
      script_cve_id("CVE-2020-5260");
      script_xref(name:"SSA", value:"2020-105-01");
    
      script_name(english:"Slackware 14.0 / 14.1 / 14.2 / current : git (SSA:2020-105-01)");
      script_summary(english:"Checks for updated package in /var/log/packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Slackware host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "New git packages are available for Slackware 14.0, 14.1, 14.2, and
    -current to fix security issues."
      );
      # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2020&m=slackware-security.438101
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?9a38da02"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected git package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-5260");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:git");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.2");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/14");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/15");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Slackware Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("slackware.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware");
    if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu);
    
    
    flag = 0;
    if (slackware_check(osver:"14.0", pkgname:"git", pkgver:"2.17.4", pkgarch:"i486", pkgnum:"1_slack14.0")) flag++;
    if (slackware_check(osver:"14.0", arch:"x86_64", pkgname:"git", pkgver:"2.17.4", pkgarch:"x86_64", pkgnum:"1_slack14.0")) flag++;
    
    if (slackware_check(osver:"14.1", pkgname:"git", pkgver:"2.17.4", pkgarch:"i486", pkgnum:"1_slack14.1")) flag++;
    if (slackware_check(osver:"14.1", arch:"x86_64", pkgname:"git", pkgver:"2.17.4", pkgarch:"x86_64", pkgnum:"1_slack14.1")) flag++;
    
    if (slackware_check(osver:"14.2", pkgname:"git", pkgver:"2.17.4", pkgarch:"i586", pkgnum:"1_slack14.2")) flag++;
    if (slackware_check(osver:"14.2", arch:"x86_64", pkgname:"git", pkgver:"2.17.4", pkgarch:"x86_64", pkgnum:"1_slack14.2")) flag++;
    
    if (slackware_check(osver:"current", pkgname:"git", pkgver:"2.26.1", pkgarch:"i586", pkgnum:"1")) flag++;
    if (slackware_check(osver:"current", arch:"x86_64", pkgname:"git", pkgver:"2.26.1", pkgarch:"x86_64", pkgnum:"1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2020-3_0-0086_GIT.NASL
    descriptionAn update of the git package has been released.
    last seen2020-05-18
    modified2020-05-13
    plugin id136573
    published2020-05-13
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136573
    titlePhoton OS 3.0: Git PHSA-2020-3.0-0086
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-1511.NASL
    descriptionThe remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:1511 advisory. - git: Crafted URL containing new lines can cause credential leak (CVE-2020-5260) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-04-23
    modified2020-04-21
    plugin id135770
    published2020-04-21
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135770
    titleRHEL 7 : git (RHSA-2020:1511)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2020-1121-1.NASL
    descriptionThis update for git fixes the following issues : Security issues fixed : CVE-2020-11008: Specially crafted URLs may have tricked the credentials helper to providing credential information that is not appropriate for the protocol in use and host being contacted (bsc#1169936) git was updated to 2.26.1 (bsc#1169786, jsc#ECO-1628, bsc#1149792) Fix git-daemon not starting after conversion from sysvinit to systemd service (bsc#1169605). CVE-2020-5260: Specially crafted URLs with newline characters could have been used to make the Git client to send credential information for a wrong host to the attacker
    last seen2020-05-06
    modified2020-04-29
    plugin id136074
    published2020-04-29
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136074
    titleSUSE SLED15 / SLES15 Security Update : git (SUSE-SU-2020:1121-1)
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2020-1409.NASL
    descriptionWith a crafted URL that contains a newline in it, the credential helper machinery can be fooled to give credential information for a wrong host. The attack has been made impossible by forbidding a newline character in any value passed via the credential protocol. (CVE-2020-5260)
    last seen2020-04-30
    modified2020-04-16
    plugin id135594
    published2020-04-16
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135594
    titleAmazon Linux 2 : git (ALAS-2020-1409)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2020-598.NASL
    descriptionThis update for git fixes the following issues : Security issues fixed : - CVE-2020-11008: Specially crafted URLs may have tricked the credentials helper to providing credential information that is not appropriate for the protocol in use and host being contacted (bsc#1169936) git was updated to 2.26.1 (bsc#1169786, jsc#ECO-1628, bsc#1149792) - Fix git-daemon not starting after conversion from sysvinit to systemd service (bsc#1169605). - CVE-2020-5260: Specially crafted URLs with newline characters could have been used to make the Git client to send credential information for a wrong host to the attacker
    last seen2020-05-08
    modified2020-05-04
    plugin id136311
    published2020-05-04
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136311
    titleopenSUSE Security Update : git (openSUSE-2020-598)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1537.NASL
    descriptionAccording to the versions of the git packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a
    last seen2020-05-08
    modified2020-05-01
    plugin id136240
    published2020-05-01
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136240
    titleEulerOS Virtualization for ARM 64 3.0.2.0 : git (EulerOS-SA-2020-1537)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2020-4E093619BB.NASL
    descriptionSecurity fix for CVE-2020-5260 and CVE-2020-11008 CVE-2020-5260 - From the upstream [release notes](https://www.kernel.org/pub/software/scm/git/docs/RelNotes/2.17. 4.txt) : > With a crafted URL that contains a newline in it, the credential > helper machinery can be fooled to give credential information for > a wrong host. The attack has been made impossible by forbidding > a newline character in any value passed via the credential > protocol. CVE-2020-11008 - From the upstream [release notes](https://www.kernel.org/pub/software/scm/git/docs/RelNotes/2.17. 5.txt): > With a crafted URL that contains a newline or empty host, or lacks > a scheme, the credential helper machinery can be fooled into > providing credential information that is not appropriate for the > protocol in use and host being contacted. > > Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the > credentials are not for a host of the attacker
    last seen2020-05-08
    modified2020-05-01
    plugin id136211
    published2020-05-01
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136211
    titleFedora 30 : git (2020-4e093619bb)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2020-CDEF88BB89.NASL
    descriptionSecurity fix for CVE-2020-5260 From the upstream [release notes](https://www.kernel.org/pub/software/scm/git/docs/RelNotes/2.17. 4.txt) : > With a crafted URL that contains a newline in it, the credential > helper machinery can be fooled to give credential information for > a wrong host. The attack has been made impossible by forbidding > a newline character in any value passed via the credential > protocol. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-04-30
    modified2020-04-20
    plugin id135728
    published2020-04-20
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135728
    titleFedora 31 : git (2020-cdef88bb89)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-1513.NASL
    descriptionThe remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:1513 advisory. - git: Crafted URL containing new lines can cause credential leak (CVE-2020-5260) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-04-23
    modified2020-04-22
    plugin id135875
    published2020-04-22
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135875
    titleRHEL 8 : git (RHSA-2020:1513)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2020-524.NASL
    descriptionThis update for git fixes the following issues : - CVE-2020-5260: With a crafted URL that contains a newline in it, the credential helper machinery can be fooled to give credential information for a wrong host (bsc#1168930). This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-04-30
    modified2020-04-20
    plugin id135749
    published2020-04-20
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135749
    titleopenSUSE Security Update : git (openSUSE-2020-524)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1578.NASL
    descriptionAccording to the version of the git packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. This bug is similar to CVE-2020-5260(GHSA-qm7j-c969-7j4q). The fix for that bug still left the door open for an exploit where _some_ credential is leaked (but the attacker cannot control which one). Git uses external
    last seen2020-05-31
    modified2020-05-26
    plugin id136856
    published2020-05-26
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136856
    titleEulerOS 2.0 SP8 : git (EulerOS-SA-2020-1578)
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2020-1416.NASL
    descriptionAffected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. This bug is similar to CVE-2020-5260 (GHSA-qm7j-c969-7j4q). The fix for that bug still left the door open for an exploit where _some_ credential is leaked (but the attacker cannot control which one). Git uses external
    last seen2020-05-12
    modified2020-05-07
    plugin id136360
    published2020-05-07
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136360
    titleAmazon Linux 2 : git (ALAS-2020-1416)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4657.NASL
    descriptionFelix Wilhelm of Google Project Zero discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline, the credential helper machinery can be fooled to return credential information for a wrong host.
    last seen2020-04-30
    modified2020-04-15
    plugin id135499
    published2020-04-15
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135499
    titleDebian DSA-4657-1 : git - security update
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2020-F6B3B6FB18.NASL
    descriptionSecurity fix for CVE-2020-5260 From the upstream [release notes](https://www.kernel.org/pub/software/scm/git/docs/RelNotes/2.17. 5.txt) : > With a crafted URL that contains a newline or empty host, or lacks > a scheme, the credential helper machinery can be fooled into > providing credential information that is not appropriate for the > protocol in use and host being contacted. > > Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the > credentials are not for a host of the attacker
    last seen2020-05-03
    modified2020-04-27
    plugin id136001
    published2020-04-27
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136001
    titleFedora 31 : git (2020-f6b3b6fb18)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1598.NASL
    descriptionAccording to the versions of the git packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. This bug is similar to CVE-2020-5260(GHSA-qm7j-c969-7j4q). The fix for that bug still left the door open for an exploit where _some_ credential is leaked (but the attacker cannot control which one). Git uses external
    last seen2020-06-06
    modified2020-06-02
    plugin id137016
    published2020-06-02
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/137016
    titleEulerOS 2.0 SP5 : git (EulerOS-SA-2020-1598)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_CED2D47E846911EAA283B42E99A1B9C3.NASL
    descriptiongit security advisory reports : Git uses external
    last seen2020-06-10
    modified2020-06-05
    plugin id137168
    published2020-06-05
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/137168
    titleFreeBSD : malicious URLs may present credentials to wrong server (ced2d47e-8469-11ea-a283-b42e99a1b9c3)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2020-1_0-0291_GIT.NASL
    descriptionAn update of the git package has been released.
    last seen2020-05-15
    modified2020-05-07
    plugin id136406
    published2020-05-07
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136406
    titlePhoton OS 1.0: Git PHSA-2020-1.0-0291
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2020-2_0-0236_GIT.NASL
    descriptionAn update of the git package has been released.
    last seen2020-05-15
    modified2020-05-05
    plugin id136328
    published2020-05-05
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136328
    titlePhoton OS 2.0: Git PHSA-2020-2.0-0236
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-202004-13.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-202004-13 (Git: Information disclosure) Multiple vulnerabilities have been discovered in Git. Please review the CVE identifiers referenced below for details. Impact : A remote attacker, by providing a specially crafted URL, could possibly trick Git into returning credential information for a wrong host. Workaround : Disabling credential helpers will prevent this vulnerability.
    last seen2020-04-30
    modified2020-04-24
    plugin id135949
    published2020-04-24
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135949
    titleGLSA-202004-13 : Git: Information disclosure
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2020-1357.NASL
    descriptionWith a crafted URL that contains a newline in it, the credential helper machinery can be fooled to give credential information for a wrong host. The attack has been made impossible by forbidding a newline character in any value passed via the credential protocol.(CVE-2020-5260)
    last seen2020-04-30
    modified2020-04-17
    plugin id135710
    published2020-04-17
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135710
    titleAmazon Linux AMI : git (ALAS-2020-1357)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2020-1511.NASL
    descriptionFrom Red Hat Security Advisory 2020:1511 : The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:1511 advisory. - git: Crafted URL containing new lines can cause credential leak (CVE-2020-5260) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-06
    modified2020-04-24
    plugin id135952
    published2020-04-24
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135952
    titleOracle Linux 7 : git (ELSA-2020-1511)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-1518.NASL
    descriptionThe remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:1518 advisory. - git: Crafted URL containing new lines can cause credential leak (CVE-2020-5260) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-04-23
    modified2020-04-21
    plugin id135862
    published2020-04-21
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135862
    titleRHEL 8 : git (RHSA-2020:1518)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20200421_GIT_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - git: Crafted URL containing new lines can cause credential leak (CVE-2020-5260)
    last seen2020-05-15
    modified2020-04-22
    plugin id135886
    published2020-04-22
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135886
    titleScientific Linux Security Update : git on SL7.x x86_64 (20200421)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4329-1.NASL
    descriptionFelix Wilhelm discovered that Git incorrectly handled certain URLs that included newlines. A remote attacker could possibly use this issue to trick Git into returning credential information for a wrong host. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-04-30
    modified2020-04-15
    plugin id135581
    published2020-04-15
    reporterUbuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135581
    titleUbuntu 16.04 LTS / 18.04 LTS / 19.10 : git vulnerability (USN-4329-1)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2020-1511.NASL
    descriptionThe remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:1511 advisory. - git: Crafted URL containing new lines can cause credential leak (CVE-2020-5260) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-06
    modified2020-05-01
    plugin id136197
    published2020-05-01
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136197
    titleCentOS 7 : git (CESA-2020:1511)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-2177.NASL
    descriptionFelix Wilhelm of Google Project Zero discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline, the credential helper machinery can be fooled to return credential information for a wrong host. For Debian 8
    last seen2020-04-30
    modified2020-04-16
    plugin id135596
    published2020-04-16
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135596
    titleDebian DLA-2177-1 : git security update
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1503.NASL
    descriptionAccording to the version of the git packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external
    last seen2020-05-03
    modified2020-04-20
    plugin id135736
    published2020-04-20
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135736
    titleEulerOS 2.0 SP8 : git (EulerOS-SA-2020-1503)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2020-1513.NASL
    descriptionFrom Red Hat Security Advisory 2020:1513 : The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:1513 advisory. - git: Crafted URL containing new lines can cause credential leak (CVE-2020-5260) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-04-30
    modified2020-04-24
    plugin id135954
    published2020-04-24
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135954
    titleOracle Linux 8 : git (ELSA-2020-1513)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2020-0991-1.NASL
    descriptionThis update for git fixes the following issues : CVE-2020-5260: With a crafted URL that contains a newline in it, the credential helper machinery can be fooled to give credential information for a wrong host (bsc#1168930). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-04-30
    modified2020-04-15
    plugin id135579
    published2020-04-15
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135579
    titleSUSE SLED15 / SLES15 Security Update : git (SUSE-SU-2020:0991-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2020-1295-1.NASL
    descriptionThis update for git to 2.26.2 fixes the following issues : Security issue fixed : CVE-2020-11008: Specially crafted URLs may have tricked the credentials helper to providing credential information that is not appropriate for the protocol in use and host being contacted (bsc#1169936). Non-security issue fixed : Fixed git-daemon not starting after conversion from sysvinit to systemd service (bsc#1169605). Enabled access for git-daemon in firewall configuration (bsc#1170302). Fixed problems with recent switch to protocol v2, which caused fetches transferring unreasonable amount of data (bsc#1170741). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-31
    modified2020-05-22
    plugin id136789
    published2020-05-22
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136789
    titleSUSE SLES12 Security Update : git (SUSE-SU-2020:1295-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2020-0992-1.NASL
    descriptionThis update for git fixes the following issues : Security issue fixed : CVE-2020-5260: With a crafted URL that contains a newline in it, the credential helper machinery can be fooled to give credential information for a wrong host (bsc#1168930). Non-security issue fixed : git was updated to 2.26.0 for SHA256 support (bsc#1167890, jsc#SLE-11608): the xinetd snippet was removed the System V init script for the git-daemon was replaced by a systemd service file of the same name. git 2.26.0:
    last seen2020-04-30
    modified2020-04-15
    plugin id135580
    published2020-04-15
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135580
    titleSUSE SLES12 Security Update : git (SUSE-SU-2020:0992-1)

Redhat

advisories
  • bugzilla
    id1822020
    titleCVE-2020-5260 git: Crafted URL containing new lines can cause credential leak
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 7 is installed
        ovaloval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • commentgit-svn is earlier than 0:1.8.3.1-22.el7_8
            ovaloval:com.redhat.rhsa:tst:20201511001
          • commentgit-svn is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20101003018
        • AND
          • commentgit-gnome-keyring is earlier than 0:1.8.3.1-22.el7_8
            ovaloval:com.redhat.rhsa:tst:20201511003
          • commentgit-gnome-keyring is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20183408002
        • AND
          • commentgit-daemon is earlier than 0:1.8.3.1-22.el7_8
            ovaloval:com.redhat.rhsa:tst:20201511005
          • commentgit-daemon is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20101003004
        • AND
          • commentperl-Git-SVN is earlier than 0:1.8.3.1-22.el7_8
            ovaloval:com.redhat.rhsa:tst:20201511007
          • commentperl-Git-SVN is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20152561012
        • AND
          • commentgitweb is earlier than 0:1.8.3.1-22.el7_8
            ovaloval:com.redhat.rhsa:tst:20201511009
          • commentgitweb is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20101003014
        • AND
          • commentgitk is earlier than 0:1.8.3.1-22.el7_8
            ovaloval:com.redhat.rhsa:tst:20201511011
          • commentgitk is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20101003020
        • AND
          • commentgit-p4 is earlier than 0:1.8.3.1-22.el7_8
            ovaloval:com.redhat.rhsa:tst:20201511013
          • commentgit-p4 is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20152561014
        • AND
          • commentgit-instaweb is earlier than 0:1.8.3.1-22.el7_8
            ovaloval:com.redhat.rhsa:tst:20201511015
          • commentgit-instaweb is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20183408014
        • AND
          • commentgit-hg is earlier than 0:1.8.3.1-22.el7_8
            ovaloval:com.redhat.rhsa:tst:20201511017
          • commentgit-hg is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20152561022
        • AND
          • commentgit-gui is earlier than 0:1.8.3.1-22.el7_8
            ovaloval:com.redhat.rhsa:tst:20201511019
          • commentgit-gui is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20101003006
        • AND
          • commentgit-email is earlier than 0:1.8.3.1-22.el7_8
            ovaloval:com.redhat.rhsa:tst:20201511021
          • commentgit-email is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20101003024
        • AND
          • commentgit-cvs is earlier than 0:1.8.3.1-22.el7_8
            ovaloval:com.redhat.rhsa:tst:20201511023
          • commentgit-cvs is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20101003016
        • AND
          • commentgit-bzr is earlier than 0:1.8.3.1-22.el7_8
            ovaloval:com.redhat.rhsa:tst:20201511025
          • commentgit-bzr is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20152561008
        • AND
          • commentgit-all is earlier than 0:1.8.3.1-22.el7_8
            ovaloval:com.redhat.rhsa:tst:20201511027
          • commentgit-all is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20101003010
        • AND
          • commentemacs-git-el is earlier than 0:1.8.3.1-22.el7_8
            ovaloval:com.redhat.rhsa:tst:20201511029
          • commentemacs-git-el is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20101003008
        • AND
          • commentemacs-git is earlier than 0:1.8.3.1-22.el7_8
            ovaloval:com.redhat.rhsa:tst:20201511031
          • commentemacs-git is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20101003022
        • AND
          • commentgit is earlier than 0:1.8.3.1-22.el7_8
            ovaloval:com.redhat.rhsa:tst:20201511033
          • commentgit is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20101003002
        • AND
          • commentperl-Git is earlier than 0:1.8.3.1-22.el7_8
            ovaloval:com.redhat.rhsa:tst:20201511035
          • commentperl-Git is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20101003012
    rhsa
    idRHSA-2020:1511
    released2020-04-21
    severityImportant
    titleRHSA-2020:1511: git security update (Important)
  • bugzilla
    id1822020
    titleCVE-2020-5260 git: Crafted URL containing new lines can cause credential leak
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 8 is installed
        ovaloval:com.redhat.rhba:tst:20193384074
      • OR
        • AND
          • commentperl-Git-SVN is earlier than 0:2.18.2-2.el8_1
            ovaloval:com.redhat.rhsa:tst:20201513001
          • commentperl-Git-SVN is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20152561012
        • AND
          • commentperl-Git is earlier than 0:2.18.2-2.el8_1
            ovaloval:com.redhat.rhsa:tst:20201513003
          • commentperl-Git is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20101003012
        • AND
          • commentgitweb is earlier than 0:2.18.2-2.el8_1
            ovaloval:com.redhat.rhsa:tst:20201513005
          • commentgitweb is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20101003014
        • AND
          • commentgitk is earlier than 0:2.18.2-2.el8_1
            ovaloval:com.redhat.rhsa:tst:20201513007
          • commentgitk is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20101003020
        • AND
          • commentgit-gui is earlier than 0:2.18.2-2.el8_1
            ovaloval:com.redhat.rhsa:tst:20201513009
          • commentgit-gui is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20101003006
        • AND
          • commentgit-email is earlier than 0:2.18.2-2.el8_1
            ovaloval:com.redhat.rhsa:tst:20201513011
          • commentgit-email is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20101003024
        • AND
          • commentgit-core-doc is earlier than 0:2.18.2-2.el8_1
            ovaloval:com.redhat.rhsa:tst:20201513013
          • commentgit-core-doc is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20194356014
        • AND
          • commentgit-all is earlier than 0:2.18.2-2.el8_1
            ovaloval:com.redhat.rhsa:tst:20201513015
          • commentgit-all is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20101003010
        • AND
          • commentgit-debugsource is earlier than 0:2.18.2-2.el8_1
            ovaloval:com.redhat.rhsa:tst:20201513017
          • commentgit-debugsource is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20194356018
        • AND
          • commentgit-svn is earlier than 0:2.18.2-2.el8_1
            ovaloval:com.redhat.rhsa:tst:20201513019
          • commentgit-svn is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20101003018
        • AND
          • commentgit-subtree is earlier than 0:2.18.2-2.el8_1
            ovaloval:com.redhat.rhsa:tst:20201513021
          • commentgit-subtree is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20194356022
        • AND
          • commentgit-instaweb is earlier than 0:2.18.2-2.el8_1
            ovaloval:com.redhat.rhsa:tst:20201513023
          • commentgit-instaweb is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20183408014
        • AND
          • commentgit-daemon is earlier than 0:2.18.2-2.el8_1
            ovaloval:com.redhat.rhsa:tst:20201513025
          • commentgit-daemon is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20101003004
        • AND
          • commentgit-core is earlier than 0:2.18.2-2.el8_1
            ovaloval:com.redhat.rhsa:tst:20201513027
          • commentgit-core is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20194356028
        • AND
          • commentgit is earlier than 0:2.18.2-2.el8_1
            ovaloval:com.redhat.rhsa:tst:20201513029
          • commentgit is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20101003002
    rhsa
    idRHSA-2020:1513
    released2020-04-21
    severityImportant
    titleRHSA-2020:1513: git security update (Important)
rpms
  • rh-git218-git-0:2.18.2-3.el7
  • rh-git218-git-all-0:2.18.2-3.el7
  • rh-git218-git-core-0:2.18.2-3.el7
  • rh-git218-git-core-doc-0:2.18.2-3.el7
  • rh-git218-git-cvs-0:2.18.2-3.el7
  • rh-git218-git-daemon-0:2.18.2-3.el7
  • rh-git218-git-debuginfo-0:2.18.2-3.el7
  • rh-git218-git-email-0:2.18.2-3.el7
  • rh-git218-git-gui-0:2.18.2-3.el7
  • rh-git218-git-instaweb-0:2.18.2-3.el7
  • rh-git218-git-p4-0:2.18.2-3.el7
  • rh-git218-git-subtree-0:2.18.2-3.el7
  • rh-git218-git-svn-0:2.18.2-3.el7
  • rh-git218-gitk-0:2.18.2-3.el7
  • rh-git218-gitweb-0:2.18.2-3.el7
  • rh-git218-perl-Git-0:2.18.2-3.el7
  • rh-git218-perl-Git-SVN-0:2.18.2-3.el7
  • emacs-git-0:1.8.3.1-22.el7_8
  • emacs-git-el-0:1.8.3.1-22.el7_8
  • git-0:1.8.3.1-22.el7_8
  • git-all-0:1.8.3.1-22.el7_8
  • git-bzr-0:1.8.3.1-22.el7_8
  • git-cvs-0:1.8.3.1-22.el7_8
  • git-daemon-0:1.8.3.1-22.el7_8
  • git-debuginfo-0:1.8.3.1-22.el7_8
  • git-email-0:1.8.3.1-22.el7_8
  • git-gnome-keyring-0:1.8.3.1-22.el7_8
  • git-gui-0:1.8.3.1-22.el7_8
  • git-hg-0:1.8.3.1-22.el7_8
  • git-instaweb-0:1.8.3.1-22.el7_8
  • git-p4-0:1.8.3.1-22.el7_8
  • git-svn-0:1.8.3.1-22.el7_8
  • gitk-0:1.8.3.1-22.el7_8
  • gitweb-0:1.8.3.1-22.el7_8
  • perl-Git-0:1.8.3.1-22.el7_8
  • perl-Git-SVN-0:1.8.3.1-22.el7_8
  • git-0:2.18.2-2.el8_1
  • git-all-0:2.18.2-2.el8_1
  • git-core-0:2.18.2-2.el8_1
  • git-core-debuginfo-0:2.18.2-2.el8_1
  • git-core-doc-0:2.18.2-2.el8_1
  • git-daemon-0:2.18.2-2.el8_1
  • git-daemon-debuginfo-0:2.18.2-2.el8_1
  • git-debuginfo-0:2.18.2-2.el8_1
  • git-debugsource-0:2.18.2-2.el8_1
  • git-email-0:2.18.2-2.el8_1
  • git-gui-0:2.18.2-2.el8_1
  • git-instaweb-0:2.18.2-2.el8_1
  • git-subtree-0:2.18.2-2.el8_1
  • git-svn-0:2.18.2-2.el8_1
  • git-svn-debuginfo-0:2.18.2-2.el8_1
  • gitk-0:2.18.2-2.el8_1
  • gitweb-0:2.18.2-2.el8_1
  • perl-Git-0:2.18.2-2.el8_1
  • perl-Git-SVN-0:2.18.2-2.el8_1
  • git-0:2.18.2-2.el8_0
  • git-all-0:2.18.2-2.el8_0
  • git-core-0:2.18.2-2.el8_0
  • git-core-debuginfo-0:2.18.2-2.el8_0
  • git-core-doc-0:2.18.2-2.el8_0
  • git-daemon-0:2.18.2-2.el8_0
  • git-daemon-debuginfo-0:2.18.2-2.el8_0
  • git-debuginfo-0:2.18.2-2.el8_0
  • git-debugsource-0:2.18.2-2.el8_0
  • git-email-0:2.18.2-2.el8_0
  • git-gui-0:2.18.2-2.el8_0
  • git-instaweb-0:2.18.2-2.el8_0
  • git-subtree-0:2.18.2-2.el8_0
  • git-svn-0:2.18.2-2.el8_0
  • git-svn-debuginfo-0:2.18.2-2.el8_0
  • gitk-0:2.18.2-2.el8_0
  • gitweb-0:2.18.2-2.el8_0
  • perl-Git-0:2.18.2-2.el8_0
  • perl-Git-SVN-0:2.18.2-2.el8_0

References