oss-sec mailing list archives
CVE-2020-11008: Git: Malicious URLs can still cause Git to send a stored credential to the wrong server
From: Taylor Blau <ttaylorr () github com>
Date: Mon, 20 Apr 2020 13:47:12 -0600
Team, Today, the Git project released v2.26.2 (and corresponding point releases as far back as the v2.17.x track) to address the following issue: * CVE-2020-11008: With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted. Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the credentials are not for a host of the attacker's choosing; instead, they are for some unspecified host (based on how the configured credential helper handles an absent "host" parameter). The attack has been made impossible by refusing to work with under-specified credential patterns. The distros list has been notified of this release in advance of its disclosure. This notification serves the same purpose for the oss-security list, too. Full details are available at the following link: https://github.com/git/git/security/advisories/GHSA-hjc9-x69f-jqj7 Per the list guidelines, I am attaching a plaintext representation of the above so as to include all essential materials within the mail itself. Thanks, Taylor
Attachment:
cve-2020-11008.txt
Description:
Current thread:
- CVE-2020-11008: Git: Malicious URLs can still cause Git to send a stored credential to the wrong server Taylor Blau (Apr 20)