CVE-2020-5260 — Improper Input Validation in GIT

CWE-20 — Improper Input Validation CWE-522 — Insufficiently Protected Credentials CWE-79 — Cross-site Scripting CWE-116 — Improper Encoding or Escaping of Output CWE-147 — Improper Neutralization of Input Terminators CWE-150 — Improper Neutralization of Escape, Meta, or Control Sequences12 documents8 sources

Severity

7.5HIGHNVD

CNA9.3

EPSS

32.5%

top 3.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GIT Git-scm GIT Canonical Ubuntu Linux +3 more

Timeline

PublishedApr 14

Latest updateJan 14

Description

Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g.…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶CVEListV5git/git< 2.17.4+18

▶NVDgit/git2.22.0 — 2.22.3+1

▶NVDgit-scm/git2.18.0 — 2.18.3+7

▶Debiangit/git< 1:2.26.1-1+3

▶NVDopensuse/leap15.1

Also affects: Debian Linux 10.0, 8.0, 9.0, Fedora 30, 31, 32, Ubuntu Linux 16.04, 18.04, 19.10

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

malicious URLs may cause Git to present stored credentials to the wrong server↗2020-04-14

▶

OSV

CVE-2020-5260: Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker↗2020-04-14

▶

📋Vendor Advisories

Red Hat

git: Newline confusion in credential helpers can lead to credential exfiltration in git↗2025-01-14

▶

Juniper

CVE-2020-1673: Insufficient Cross-Site Scripting (XSS) protection in Juniper Networks J-Web and web based (HTTP/HTTPS) services allows an unauthenticated attacker to↗2020-10-16

▶

Ubuntu

Git vulnerability↗2020-04-14

▶

Red Hat

git: Crafted URL containing new lines can cause credential leak↗2020-04-14

▶

Debian

CVE-2020-5260: git - Affected versions of Git have a vulnerability whereby Git can be tricked into se...↗2020

▶

💬Community

Bugzilla

CVE-2020-11008 git: Crafted URL containing new lines, empty host or lacks a scheme can cause credential leak↗2020-04-20

▶

Bugzilla

CVE-2020-5260 git: Crafted URL containing new lines can cause credential leak [fedora-all]↗2020-04-15

▶

Bugzilla

CVE-2020-5260 git: Crafted URL containing new lines can cause credential leak↗2020-04-08

▶