csaf_certbund - wid-sec-w-2025-0189

WID-SEC-W-2025-0189

Vulnerability from csaf_certbund - Published: 2020-04-14 22:00 - Updated: 2025-01-27 23:00

Summary

git: Schwachstelle ermöglicht Offenlegung von Informationen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Git ist eine freie Software zur verteilten Versionsverwaltung von Dateien.

Angriff

Ein entfernter, anonymer Angreifer kann eine Schwachstelle in git ausnutzen, um Anmeldeinformationen offenzulegen.

Betroffene Betriebssysteme

- Linux - MacOS X - UNIX

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Git ist eine freie Software zur verteilten Versionsverwaltung von Dateien.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in git ausnutzen, um Anmeldeinformationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- MacOS X\n- UNIX",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-0189 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2020/wid-sec-w-2025-0189.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-0189 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-0189"
      },
      {
        "category": "external",
        "summary": "Git Security Advisory GHSA-qm7j-c969-7j4q vom 2020-04-14",
        "url": "https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-4329-1 vom 2020-04-14",
        "url": "https://usn.ubuntu.com/4329-1/"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-4657-1 vom 2020-04-14",
        "url": "https://www.debian.org/security/2020/dsa-4657"
      },
      {
        "category": "external",
        "summary": "Apple Xcode 11.4.1 security update",
        "url": "https://support.apple.com/en-us/HT211141"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2020:1503 vom 2020-04-21",
        "url": "https://access.redhat.com/errata/RHSA-2020:1503"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2020:1518 vom 2020-04-21",
        "url": "https://access.redhat.com/errata/RHSA-2020:1518"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2020:1511 vom 2020-04-21",
        "url": "https://access.redhat.com/errata/RHSA-2020:1511"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2020:0992-1 vom 2020-04-24",
        "url": "https://www.suse.com/support/update/announcement/2020/suse-su-20200992-1.html"
      },
      {
        "category": "external",
        "summary": "Arch Linux Security Advisory ASA-202004-21 vom 2020-04-24",
        "url": "https://security.archlinux.org/ASA-202004-21"
      },
      {
        "category": "external",
        "summary": "Arch Linux Security Advisory ASA-202004-13 vom 2020-04-24",
        "url": "https://security.archlinux.org/ASA-202004-13"
      },
      {
        "category": "external",
        "summary": "AVAYA Security Advisory ASA-2020-067 vom 2020-04-25",
        "url": "https://downloads.avaya.com/css/P8/documents/101066057"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2020:1121-1 vom 2020-04-28",
        "url": "https://www.suse.com/support/update/announcement/2020/suse-su-20201121-1.html"
      },
      {
        "category": "external",
        "summary": "CentOS Security Advisory CESA-2020:1511 vom 2020-04-30",
        "url": "http://centos-announce.2309468.n4.nabble.com/CentOS-announce-CESA-2020-1511-Important-CentOS-7-git-Security-Update-tp4645910.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2020:1295-1 vom 2020-05-21",
        "url": "https://www.suse.com/support/update/announcement/2020/suse-su-20201295-1.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2020:3581 vom 2020-08-31",
        "url": "https://access.redhat.com/errata/RHSA-2020:3581"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS-2025-2737 vom 2025-01-24",
        "url": "https://alas.aws.amazon.com/AL2/ALAS-2025-2737.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-4031 vom 2025-01-28",
        "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00025.html"
      }
    ],
    "source_lang": "en-US",
    "title": "git: Schwachstelle erm\u00f6glicht Offenlegung von Informationen",
    "tracking": {
      "current_release_date": "2025-01-27T23:00:00.000+00:00",
      "generator": {
        "date": "2025-01-28T13:12:06.338+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.10"
        }
      },
      "id": "WID-SEC-W-2025-0189",
      "initial_release_date": "2020-04-14T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2020-04-14T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2020-04-19T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Apple aufgenommen"
        },
        {
          "date": "2020-04-20T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2020-04-21T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2020-04-23T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2020-04-26T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von AVAYA aufgenommen"
        },
        {
          "date": "2020-04-28T22:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2020-05-03T22:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von CentOS aufgenommen"
        },
        {
          "date": "2020-05-21T22:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2020-08-30T22:00:00.000+00:00",
          "number": "10",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2025-01-26T23:00:00.000+00:00",
          "number": "11",
          "summary": "Neue Updates von Amazon aufgenommen"
        },
        {
          "date": "2025-01-27T23:00:00.000+00:00",
          "number": "12",
          "summary": "Neue Updates von Debian aufgenommen"
        }
      ],
      "status": "final",
      "version": "12"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Amazon Linux 2",
            "product": {
              "name": "Amazon Linux 2",
              "product_id": "398363",
              "product_identification_helper": {
                "cpe": "cpe:/o:amazon:linux_2:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Amazon"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c11.4.1",
                "product": {
                  "name": "Apple Xcode \u003c11.4.1",
                  "product_id": "T016329"
                }
              },
              {
                "category": "product_version",
                "name": "11.4.1",
                "product": {
                  "name": "Apple Xcode 11.4.1",
                  "product_id": "T016329-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apple:xcode:11.4.1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Xcode"
          }
        ],
        "category": "vendor",
        "name": "Apple"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Open Source Arch Linux",
            "product": {
              "name": "Open Source Arch Linux",
              "product_id": "T013312",
              "product_identification_helper": {
                "cpe": "cpe:/o:archlinux:archlinux:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "Open Source CentOS",
            "product": {
              "name": "Open Source CentOS",
              "product_id": "1727",
              "product_identification_helper": {
                "cpe": "cpe:/o:centos:centos:-"
              }
            }
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c2.17.4",
                "product": {
                  "name": "Open Source git \u003c2.17.4",
                  "product_id": "T016276"
                }
              },
              {
                "category": "product_version",
                "name": "2.17.4",
                "product": {
                  "name": "Open Source git 2.17.4",
                  "product_id": "T016276-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:git:2.17.4"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c2.18.3",
                "product": {
                  "name": "Open Source git \u003c2.18.3",
                  "product_id": "T016277"
                }
              },
              {
                "category": "product_version",
                "name": "2.18.3",
                "product": {
                  "name": "Open Source git 2.18.3",
                  "product_id": "T016277-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:git:2.18.3"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c2.19.4",
                "product": {
                  "name": "Open Source git \u003c2.19.4",
                  "product_id": "T016278"
                }
              },
              {
                "category": "product_version",
                "name": "2.19.4",
                "product": {
                  "name": "Open Source git 2.19.4",
                  "product_id": "T016278-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:git:2.19.4"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c2.20.3",
                "product": {
                  "name": "Open Source git \u003c2.20.3",
                  "product_id": "T016279"
                }
              },
              {
                "category": "product_version",
                "name": "2.20.3",
                "product": {
                  "name": "Open Source git 2.20.3",
                  "product_id": "T016279-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:git:2.20.3"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c2.21.2",
                "product": {
                  "name": "Open Source git \u003c2.21.2",
                  "product_id": "T016280"
                }
              },
              {
                "category": "product_version",
                "name": "2.21.2",
                "product": {
                  "name": "Open Source git 2.21.2",
                  "product_id": "T016280-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:git:2.21.2"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c2.22.3",
                "product": {
                  "name": "Open Source git \u003c2.22.3",
                  "product_id": "T016281"
                }
              },
              {
                "category": "product_version",
                "name": "2.22.3",
                "product": {
                  "name": "Open Source git 2.22.3",
                  "product_id": "T016281-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:git:2.22.3"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c2.23.2",
                "product": {
                  "name": "Open Source git \u003c2.23.2",
                  "product_id": "T016282"
                }
              },
              {
                "category": "product_version",
                "name": "2.23.2",
                "product": {
                  "name": "Open Source git 2.23.2",
                  "product_id": "T016282-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:git:2.23.2"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c2.24.2",
                "product": {
                  "name": "Open Source git \u003c2.24.2",
                  "product_id": "T016283"
                }
              },
              {
                "category": "product_version",
                "name": "2.24.2",
                "product": {
                  "name": "Open Source git 2.24.2",
                  "product_id": "T016283-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:git:2.24.2"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c2.25.3",
                "product": {
                  "name": "Open Source git \u003c2.25.3",
                  "product_id": "T016284"
                }
              },
              {
                "category": "product_version",
                "name": "2.25.3",
                "product": {
                  "name": "Open Source git 2.25.3",
                  "product_id": "T016284-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:git:2.25.3"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c2.26.1",
                "product": {
                  "name": "Open Source git \u003c2.26.1",
                  "product_id": "T016285"
                }
              },
              {
                "category": "product_version",
                "name": "2.26.1",
                "product": {
                  "name": "Open Source git 2.26.1",
                  "product_id": "T016285-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:git:2.26.1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "git"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Ubuntu Linux",
            "product": {
              "name": "Ubuntu Linux",
              "product_id": "T000126",
              "product_identification_helper": {
                "cpe": "cpe:/o:canonical:ubuntu_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Ubuntu"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-5260",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in git. Als Parameter \u00fcbergebene URL werden nur unzureichend validiert an die \"credential helper\" Komponente \u00fcbergeben. Wenn diese URL \"Newline\" Zeichen enth\u00e4lt, wird dadurch das vom \"credential helper\" genutzte Protokoll beeinflusst. Ein Angreifer kann dadurch gespeicherte Anmeldeinformationen an einen von ihm kontrollierten Server senden lassen und somit offenlegen. Zur erfolgreichen Ausnutzung dieser Schwachstelle muss der Angreifer den Benutzer dazu bringen eine modifizierte URL mit dem Kommando \"git clone\" zu verwenden."
        }
      ],
      "product_status": {
        "known_affected": [
          "67646",
          "T016329",
          "T013312",
          "T016279",
          "T016278",
          "T016277",
          "T016276",
          "T016285",
          "T016284",
          "T016283",
          "2951",
          "T002207",
          "T016282",
          "T016281",
          "T000126",
          "T016280",
          "398363",
          "1727"
        ]
      },
      "release_date": "2020-04-14T22:00:00.000+00:00",
      "title": "CVE-2020-5260"
    }
  ]
}

CVE-2020-5260 (GCVE-0-2020-5260)

Vulnerability from cvelistv5 – Published: 2020-04-14 22:50 – Updated: 2024-08-04 08:22

Title

malicious URLs may cause Git to present stored credentials to the wrong server

Summary

Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any host to a host of their choosing. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1.

Severity ?

9.3 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

CWE

CWE-20 - Improper Input Validation

Assigner

GitHub_M

References

URL

Tags

	https://github.com/git/git/security/advisories/GH…	x_refsource_CONFIRM
	https://github.com/git/git/commit/9a6bbee8006c24b…	x_refsource_MISC
	https://lore.kernel.org/git/xmqqy2qy7xn8.fsf%40gi…	x_refsource_MISC
	https://www.debian.org/security/2020/dsa-4657	vendor-advisoryx_refsource_DEBIAN
	https://lists.debian.org/debian-lts-announce/2020…	mailing-listx_refsource_MLIST
	http://www.openwall.com/lists/oss-security/2020/04/15/5	mailing-listx_refsource_MLIST
	http://packetstormsecurity.com/files/157250/Git-C…	x_refsource_MISC
	http://www.openwall.com/lists/oss-security/2020/04/15/6	mailing-listx_refsource_MLIST
	http://lists.opensuse.org/opensuse-security-annou…	vendor-advisoryx_refsource_SUSE
	https://support.apple.com/kb/HT211141	x_refsource_CONFIRM
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	http://www.openwall.com/lists/oss-security/2020/04/20/1	mailing-listx_refsource_MLIST
	https://security.gentoo.org/glsa/202004-13	vendor-advisoryx_refsource_GENTOO
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://usn.ubuntu.com/4329-1/	vendor-advisoryx_refsource_UBUNTU
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	http://lists.opensuse.org/opensuse-security-annou…	vendor-advisoryx_refsource_SUSE

Impacted products

	Vendor	Product	Version
	git	git	Affected: < 2.17.4 Affected: >= 2.18.0, < 2.18.3 Affected: >= 2.19.0, 2.19.4 Affected: >= 2.20.0, < 2.20.3 Affected: >= 2.21.0, < 2.21.2 Affected: >= 2.22.0, < 2.22.3 Affected: >= 2.23.0, < 2.23.2 Affected: >= 2.24.0, < 2.24.2 Affected: >= 2.25.0, < 2.25.3 Affected: >= 2.26.0, < 2.26.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T08:22:09.095Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/git/git/commit/9a6bbee8006c24b46a85d29e7b38cfa79e9ab21b"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lore.kernel.org/git/xmqqy2qy7xn8.fsf%40gitster.c.googlers.com/"
          },
          {
            "name": "DSA-4657",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2020/dsa-4657"
          },
          {
            "name": "[debian-lts-announce] 20200415 [SECURITY] [DLA 2177-1] git security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00010.html"
          },
          {
            "name": "[oss-security] 20200415 CVE-2020-5260: Git: malicious URLs may cause Git to present stored credentials to the wrong server",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2020/04/15/5"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/157250/Git-Credential-Helper-Protocol-Newline-Injection.html"
          },
          {
            "name": "[oss-security] 20200415 Re: CVE-2020-5260: Git: malicious URLs may cause Git to present stored credentials to the wrong server",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2020/04/15/6"
          },
          {
            "name": "openSUSE-SU-2020:0524",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00027.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.apple.com/kb/HT211141"
          },
          {
            "name": "FEDORA-2020-cdef88bb89",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XPCEOIFLLEF24L6GLVJVFZX4CREDEHDF/"
          },
          {
            "name": "[oss-security] 20200420 CVE-2020-11008: Git: Malicious URLs can still cause Git to send a stored credential to the wrong server",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2020/04/20/1"
          },
          {
            "name": "GLSA-202004-13",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202004-13"
          },
          {
            "name": "FEDORA-2020-c6548b488f",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7TVS5UG6JD3MYIGSBKMIOS6AF7CR5IPI/"
          },
          {
            "name": "FEDORA-2020-f6b3b6fb18",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PN3FUOXKX3AXTULYV53ACABER2W2FSOU/"
          },
          {
            "name": "FEDORA-2020-b2a2c830cf",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MOCTR2SEHCPSCOVUQJAGFPGKFMI2VE6V/"
          },
          {
            "name": "USN-4329-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4329-1/"
          },
          {
            "name": "FEDORA-2020-4e093619bb",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/74Q7WVJ6FKLIN62VS2JD2XCNWK5TNKOW/"
          },
          {
            "name": "openSUSE-SU-2020:0598",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "git",
          "vendor": "git",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.17.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.18.0, \u003c 2.18.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.19.0, 2.19.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.20.0, \u003c 2.20.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.21.0, \u003c 2.21.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.22.0, \u003c 2.22.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.23.0, \u003c 2.23.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.24.0, \u003c 2.24.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.25.0, \u003c 2.25.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.26.0, \u003c 2.26.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external \"credential helper\" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any host to a host of their choosing. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-05-06T18:06:08",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/git/git/commit/9a6bbee8006c24b46a85d29e7b38cfa79e9ab21b"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lore.kernel.org/git/xmqqy2qy7xn8.fsf%40gitster.c.googlers.com/"
        },
        {
          "name": "DSA-4657",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2020/dsa-4657"
        },
        {
          "name": "[debian-lts-announce] 20200415 [SECURITY] [DLA 2177-1] git security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00010.html"
        },
        {
          "name": "[oss-security] 20200415 CVE-2020-5260: Git: malicious URLs may cause Git to present stored credentials to the wrong server",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2020/04/15/5"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/157250/Git-Credential-Helper-Protocol-Newline-Injection.html"
        },
        {
          "name": "[oss-security] 20200415 Re: CVE-2020-5260: Git: malicious URLs may cause Git to present stored credentials to the wrong server",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2020/04/15/6"
        },
        {
          "name": "openSUSE-SU-2020:0524",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00027.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.apple.com/kb/HT211141"
        },
        {
          "name": "FEDORA-2020-cdef88bb89",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XPCEOIFLLEF24L6GLVJVFZX4CREDEHDF/"
        },
        {
          "name": "[oss-security] 20200420 CVE-2020-11008: Git: Malicious URLs can still cause Git to send a stored credential to the wrong server",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2020/04/20/1"
        },
        {
          "name": "GLSA-202004-13",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202004-13"
        },
        {
          "name": "FEDORA-2020-c6548b488f",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7TVS5UG6JD3MYIGSBKMIOS6AF7CR5IPI/"
        },
        {
          "name": "FEDORA-2020-f6b3b6fb18",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PN3FUOXKX3AXTULYV53ACABER2W2FSOU/"
        },
        {
          "name": "FEDORA-2020-b2a2c830cf",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MOCTR2SEHCPSCOVUQJAGFPGKFMI2VE6V/"
        },
        {
          "name": "USN-4329-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4329-1/"
        },
        {
          "name": "FEDORA-2020-4e093619bb",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/74Q7WVJ6FKLIN62VS2JD2XCNWK5TNKOW/"
        },
        {
          "name": "openSUSE-SU-2020:0598",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html"
        }
      ],
      "source": {
        "advisory": "GHSA-qm7j-c969-7j4q",
        "discovery": "UNKNOWN"
      },
      "title": "malicious URLs may cause Git to present stored credentials to the wrong server",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-5260",
          "STATE": "PUBLIC",
          "TITLE": "malicious URLs may cause Git to present stored credentials to the wrong server"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "git",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 2.17.4"
                          },
                          {
                            "version_value": "\u003e= 2.18.0, \u003c 2.18.3"
                          },
                          {
                            "version_value": "\u003e= 2.19.0, 2.19.4"
                          },
                          {
                            "version_value": "\u003e= 2.20.0, \u003c 2.20.3"
                          },
                          {
                            "version_value": "\u003e= 2.21.0, \u003c 2.21.2"
                          },
                          {
                            "version_value": "\u003e= 2.22.0, \u003c 2.22.3"
                          },
                          {
                            "version_value": "\u003e= 2.23.0, \u003c 2.23.2"
                          },
                          {
                            "version_value": "\u003e= 2.24.0, \u003c 2.24.2"
                          },
                          {
                            "version_value": "\u003e= 2.25.0, \u003c 2.25.3"
                          },
                          {
                            "version_value": "\u003e= 2.26.0, \u003c 2.26.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "git"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external \"credential helper\" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any host to a host of their choosing. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-20: Improper Input Validation"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q",
              "refsource": "CONFIRM",
              "url": "https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q"
            },
            {
              "name": "https://github.com/git/git/commit/9a6bbee8006c24b46a85d29e7b38cfa79e9ab21b",
              "refsource": "MISC",
              "url": "https://github.com/git/git/commit/9a6bbee8006c24b46a85d29e7b38cfa79e9ab21b"
            },
            {
              "name": "https://lore.kernel.org/git/xmqqy2qy7xn8.fsf@gitster.c.googlers.com/",
              "refsource": "MISC",
              "url": "https://lore.kernel.org/git/xmqqy2qy7xn8.fsf@gitster.c.googlers.com/"
            },
            {
              "name": "DSA-4657",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2020/dsa-4657"
            },
            {
              "name": "[debian-lts-announce] 20200415 [SECURITY] [DLA 2177-1] git security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00010.html"
            },
            {
              "name": "[oss-security] 20200415 CVE-2020-5260: Git: malicious URLs may cause Git to present stored credentials to the wrong server",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2020/04/15/5"
            },
            {
              "name": "http://packetstormsecurity.com/files/157250/Git-Credential-Helper-Protocol-Newline-Injection.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/157250/Git-Credential-Helper-Protocol-Newline-Injection.html"
            },
            {
              "name": "[oss-security] 20200415 Re: CVE-2020-5260: Git: malicious URLs may cause Git to present stored credentials to the wrong server",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2020/04/15/6"
            },
            {
              "name": "openSUSE-SU-2020:0524",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00027.html"
            },
            {
              "name": "https://support.apple.com/kb/HT211141",
              "refsource": "CONFIRM",
              "url": "https://support.apple.com/kb/HT211141"
            },
            {
              "name": "FEDORA-2020-cdef88bb89",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XPCEOIFLLEF24L6GLVJVFZX4CREDEHDF/"
            },
            {
              "name": "[oss-security] 20200420 CVE-2020-11008: Git: Malicious URLs can still cause Git to send a stored credential to the wrong server",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2020/04/20/1"
            },
            {
              "name": "GLSA-202004-13",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202004-13"
            },
            {
              "name": "FEDORA-2020-c6548b488f",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7TVS5UG6JD3MYIGSBKMIOS6AF7CR5IPI/"
            },
            {
              "name": "FEDORA-2020-f6b3b6fb18",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PN3FUOXKX3AXTULYV53ACABER2W2FSOU/"
            },
            {
              "name": "FEDORA-2020-b2a2c830cf",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MOCTR2SEHCPSCOVUQJAGFPGKFMI2VE6V/"
            },
            {
              "name": "USN-4329-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4329-1/"
            },
            {
              "name": "FEDORA-2020-4e093619bb",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74Q7WVJ6FKLIN62VS2JD2XCNWK5TNKOW/"
            },
            {
              "name": "openSUSE-SU-2020:0598",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-qm7j-c969-7j4q",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2020-5260",
    "datePublished": "2020-04-14T22:50:12",
    "dateReserved": "2020-01-02T00:00:00",
    "dateUpdated": "2024-08-04T08:22:09.095Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2025-0189

CVE-2020-5260 (GCVE-0-2020-5260)

Tags

Sightings

Nomenclature