CVE-2020-11008

CWE-20Improper Input ValidationCWE-522Insufficiently Protected Credentials8 documents7 sources
Severity
7.5HIGH
EPSS
2.2%
top 15.51%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
GIT GITGit-scm GITCanonical Ubuntu Linux+2 more
Timeline
PublishedApr 21

Description

Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. This bug is similar to CVE-2020-5260(GHSA-qm7j-c969-7j4q). The fix for that bug still left the door open for an exploit where _some_ credential is leaked (but the attacker cannot control which one). Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Spec

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:NExploitability: 2.2 | Impact: 1.4

Affected Packages3 packages

CVEListV5git/git< 2.17.5+9
NVDgit-scm/git2.18.02.18.4+9
Debiangit< 1:2.26.2-1+3

Also affects: Debian Linux 8.0, Fedora 31, 32, Ubuntu Linux 16.04, 18.04, 19.10

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

2
OSV
CVE-2020-11008: Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker2020-04-21
CVEList
Malicious URLs can still cause Git to send a stored credential to the wrong server2020-04-21

📋Vendor Advisories

3
Ubuntu
Git vulnerability2020-04-21
Red Hat
git: Crafted URL containing new lines, empty host or lacks a scheme can cause credential leak2020-04-20
Debian
CVE-2020-11008: git - Affected versions of Git have a vulnerability whereby Git can be tricked into se...2020

💬Community

2
Bugzilla
CVE-2020-11008 git: Crafted URL containing new lines, empty host or lacks a scheme can cause credential leak [fedora-all]2020-04-21
Bugzilla
CVE-2020-11008 git: Crafted URL containing new lines, empty host or lacks a scheme can cause credential leak2020-04-20
CVE-2020-11008 (HIGH CVSS 7.5) | Affected versions of Git have a vul | cvebase.io