CVE-2020-5260
published 2020-04-14CVE-2020-5260: Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses…
PriorityP354high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
10.05%
95.0th percentile
Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any host to a host of their choosing. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1.
Affected
76 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | git | < git 1:2.39.5-0+deb12u2 (bookworm) | git 1:2.39.5-0+deb12u2 (bookworm) |
| debian | git | < git 1:2.26.2-1 (bookworm) | git 1:2.26.2-1 (bookworm) |
| debian | git | < git 1:2.26.1-1 (bookworm) | git 1:2.26.1-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| git-scm | git | < 2.17.5 | 2.17.5 |
| git-scm | git | >= 2.18.0 < 2.18.4 | 2.18.4 |
| git-scm | git | >= 2.18.0 < 2.18.3 | 2.18.3 |
| git-scm | git | >= 2.19.0 < 2.19.5 | 2.19.5 |
| git-scm | git | >= 2.19.0 < 2.19.4 | 2.19.4 |
| git-scm | git | >= 2.20.0 < 2.20.4 | 2.20.4 |
| git-scm | git | >= 2.20.0 < 2.20.3 | 2.20.3 |
| git-scm | git | >= 2.21.0 < 2.21.3 | 2.21.3 |
| git-scm | git | >= 2.21.0 < 2.21.2 | 2.21.2 |
| git-scm | git | >= 2.22.0 < 2.22.4 | 2.22.4 |
| git-scm | git | >= 2.23.0 < 2.23.3 | 2.23.3 |
| git-scm | git | >= 2.23.0 < 2.23.2 | 2.23.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Inspect URLs passed to `git clone` (including via submodules or package managers) for encoded newline characters (%0a) in the hostname or username portion, which are the primary exploit delivery mechanism for CVE-2020-5260. ↗
- →Monitor for `git clone` invocations that originate from automated systems processing untrusted URLs (e.g., submodule updates, package managers), as these are the most likely exploitation vectors where the malicious URL is not visible to the user. ↗
- →Audit `.gitmodules` files in repositories for URLs containing encoded newlines (%0a) or credential-protocol injection strings before running `git submodule update`. ↗
- →Detect use of vulnerable credential helpers (store, cache, osxkeychain) in Git configuration on hosts running unpatched Git versions prior to 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, or 2.26.1. ↗
- ·Git's built-in credential helpers ('store', 'cache') and the 'osxkeychain' contrib helper are confirmed vulnerable and will leak credentials when exploited; Git Credential Manager for Windows is confirmed safe even on unpatched Git versions. ↗
- ·Red Hat Enterprise Linux 6 is not affected because the vulnerable Git version (1.7.9-rc0 and later) was never packaged for that platform. ↗
- ·The fix for CVE-2020-5260 (commit 9a6bbee) is sufficient to protect clients; the full release also includes extra checks for `git fsck` but those are not required for client protection. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv7.5HIGH
vendor_debian9.3CRITICAL
vendor_redhat9.3CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
git: Newline confusion in credential helpers can lead to credential exfiltration in git
vendor_redhat·2025-01-14·CVSS 9.3
CVE-2024-52006 [CRITICAL] CWE-116 git: Newline confusion in credential helpers can lead to credential exfiltration in git
git: Newline confusion in credential helpers can lead to credential exfiltration in git
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. Git defines a line-based protocol that is used to exchange information between Git and Git credential helpers. Some ecosystems (most notably, .NET and node.js) interpret single Carriage Return characters as newlines, which renders the protections against CVE-2020-5260 incomplete for credential helpers that treat Carriage Returns in this way. This issue has been addressed in commit `b01b9b8` which is included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrad
Debian
CVE-2024-52006: git - Git is a fast, scalable, distributed revision control system with an unusually r...
vendor_debian·2024·CVSS 9.3
CVE-2024-52006 [CRITICAL] CVE-2024-52006: git - Git is a fast, scalable, distributed revision control system with an unusually r...
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. Git defines a line-based protocol that is used to exchange information between Git and Git credential helpers. Some ecosystems (most notably, .NET and node.js) interpret single Carriage Return characters as newlines, which renders the protections against CVE-2020-5260 incomplete for credential helpers that treat Carriage Returns in this way. This issue has been addressed in commit `b01b9b8` which is included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive
Juniper
CVE-2020-1673: Insufficient Cross-Site Scripting (XSS) protection in Juniper Networks J-Web and web based (HTTP/HTTPS) services allows an unauthenticated attacker to
vendor_juniper·2020-10-16·CVSS 8.8
CVE-2020-1673 [HIGH] CWE-79 CVE-2020-1673: Insufficient Cross-Site Scripting (XSS) protection in Juniper Networks J-Web and web based (HTTP/HTTPS) services allows an unauthenticated attacker to
CVE-2020-1673: Insufficient Cross-Site Scripting (XSS) protection in Juniper Networks J-Web and web based (HTTP/HTTPS) services allows an unauthenticated attacker to hijack the target user's HTTP/HTTPS session and perform administrative actions on the Junos device as the targeted user. This issue only affects Juniper Networks Junos OS devices with HTTP/HTTPS services enabled such as J-Web, Web Authentication, Dynamic-VPN (DVPN), Firewall Authentication Pass-Through with Web-Redirect, and Zero Touch Provisioning (ZTP). Junos OS devices with HTTP/HTTPS services disabled are not affected. If HTTP/HTTPS services are enabled, the following command will show the httpd processes: user@device> show system processes | match http 5260 - S 0:00.13 /usr/sbin/httpd-gk -N 5797 - I 0:00.10 /usr/sbin/http
Red Hat
git: Crafted URL containing new lines, empty host or lacks a scheme can cause credential leak
vendor_redhat·2020-04-20·CVSS 4.0
CVE-2020-11008 [MEDIUM] CWE-20 git: Crafted URL containing new lines, empty host or lacks a scheme can cause credential leak
git: Crafted URL containing new lines, empty host or lacks a scheme can cause credential leak
Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. This bug is similar to CVE-2020-5260(GHSA-qm7j-c969-7j4q). The fix for that bug still left the door open for an exploit where _some_ credential is leaked (but the attacker cannot control which one). Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that are considered illegal as of the recently published Git versions can cause Git to send a "blank" pattern to helpers, missing hostname and protocol fields. Many helpers will interpre
Ubuntu
Git vulnerability
vendor_ubuntu·2020-04-14
CVE-2020-5260 Git vulnerability
Title: Git vulnerability
Summary: Git could be made to expose sensitive information.
Felix Wilhelm discovered that Git incorrectly handled certain URLs that
included newlines. A remote attacker could possibly use this issue to trick
Git into returning credential information for a wrong host.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
git: Crafted URL containing new lines can cause credential leak
vendor_redhat·2020-04-14·CVSS 9.3
CVE-2020-5260 [CRITICAL] CWE-20 git: Crafted URL containing new lines can cause credential leak
git: Crafted URL containing new lines can cause credential leak
Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning tha
Debian
CVE-2020-11008: git - Affected versions of Git have a vulnerability whereby Git can be tricked into se...
vendor_debian·2020·CVSS 4.0
CVE-2020-11008 [MEDIUM] CVE-2020-11008: git - Affected versions of Git have a vulnerability whereby Git can be tricked into se...
Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. This bug is similar to CVE-2020-5260(GHSA-qm7j-c969-7j4q). The fix for that bug still left the door open for an exploit where _some_ credential is leaked (but the attacker cannot control which one). Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that are considered illegal as of the recently published Git versions can cause Git to send a "blank" pattern to helpers, missing hostname and protocol fields. Many helpers will interpret this as matching _any_ URL, and will return some unspecified stored password, leaking the pas
Debian
CVE-2020-5260: git - Affected versions of Git have a vulnerability whereby Git can be tricked into se...
vendor_debian·2020·CVSS 9.3
CVE-2020-5260 [CRITICAL] CVE-2020-5260: git - Affected versions of Git have a vulnerability whereby Git can be tricked into se...
Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credential
OSV
CVE-2024-52006: Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full acce
osv·2025-01-14·CVSS 7.5
CVE-2024-52006 [HIGH] CVE-2024-52006: Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full acce
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. Git defines a line-based protocol that is used to exchange information between Git and Git credential helpers. Some ecosystems (most notably, .NET and node.js) interpret single Carriage Return characters as newlines, which renders the protections against CVE-2020-5260 incomplete for credential helpers that treat Carriage Returns in this way. This issue has been addressed in commit `b01b9b8` which is included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive
OSV
CVE-2020-11008: Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker
osv·2020-04-21·CVSS 7.5
CVE-2020-11008 [HIGH] CVE-2020-11008: Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker
Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. This bug is similar to CVE-2020-5260(GHSA-qm7j-c969-7j4q). The fix for that bug still left the door open for an exploit where _some_ credential is leaked (but the attacker cannot control which one). Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that are considered illegal as of the recently published Git versions can cause Git to send a "blank" pattern to helpers, missing hostname and protocol fields. Many helpers will interpret this as matching _any_ URL, and will return some unspecified stored password, leaking the pas
OSV
CVE-2020-5260: Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker
osv·2020-04-14·CVSS 7.5
CVE-2020-5260 [HIGH] CVE-2020-5260: Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker
Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credential
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2024-52006 git: Newline confusion in credential helpers can lead to credential exfiltration in git
bugzilla·2025-01-14·CVSS 7.5
CVE-2024-52006 [HIGH] CVE-2024-52006 git: Newline confusion in credential helpers can lead to credential exfiltration in git
CVE-2024-52006 git: Newline confusion in credential helpers can lead to credential exfiltration in git
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. Git defines a line-based protocol that is used to exchange information between Git and Git credential helpers. Some ecosystems (most notably, .NET and node.js) interpret single Carriage Return characters as newlines, which renders the protections against CVE-2020-5260 incomplete for credential helpers that treat Carriage Returns in this way. This issue has been addressed in commit `b01b9b8` which is included in release versions v2.48.1, v2.47.1, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are ad
Bugzilla
CVE-2020-11008 git: Crafted URL containing new lines, empty host or lacks a scheme can cause credential leak
bugzilla·2020-04-20·CVSS 4.0
CVE-2020-11008 [MEDIUM] CVE-2020-11008 git: Crafted URL containing new lines, empty host or lacks a scheme can cause credential leak
CVE-2020-11008 git: Crafted URL containing new lines, empty host or lacks a scheme can cause credential leak
As per upstream advisory:
With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted.
Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the credentials are not for a host of the attacker's choosing; instead, they are for some unspecified host (based on how the configured credential helper handles an absent "host" parameter).
The attack has been made impossible by refusing to work with under-specified credential patterns.
Discussion:
Acknowledgments:
Name: the Git project
Upstream: Carlo Arenas
--
Bugzilla
CVE-2020-5260 git: Crafted URL containing new lines can cause credential leak [fedora-all]
bugzilla·2020-04-15·CVSS 9.3
CVE-2020-5260 [CRITICAL] CVE-2020-5260 git: Crafted URL containing new lines can cause credential leak [fedora-all]
CVE-2020-5260 git: Crafted URL containing new lines can cause credential leak [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple suppo
Bugzilla
CVE-2020-5260 git: Crafted URL containing new lines can cause credential leak
bugzilla·2020-04-08·CVSS 9.3
CVE-2020-5260 [CRITICAL] CVE-2020-5260 git: Crafted URL containing new lines can cause credential leak
CVE-2020-5260 git: Crafted URL containing new lines can cause credential leak
As per upstream security advisory:
With a crafted URL that contains a newline in it, the credential helper machinery can be fooled to give credential information for a wrong host. The attack has been made impossible by forbidding a newline character in any value passed via the credential protocol.
Discussion:
Acknowledgments:
Name: the Git project
Upstream: Felix Wilhelm (Google project zero)
---
Created attachment 1677136
Upstream patch-set
---
Statement:
Red Hat Enterprise Linux 6 is not affected by this flaw as the vulnerable version of git, version 1.7.9-rc0 and later, was never packaged for this instance of RHEL.
---
Upstream patch: https://github.com/git/git/compare/v2.17.3...v2.17.4
---
Exter
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00027.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.htmlhttp://packetstormsecurity.com/files/157250/Git-Credential-Helper-Protocol-Newline-Injection.htmlhttp://www.openwall.com/lists/oss-security/2020/04/15/5http://www.openwall.com/lists/oss-security/2020/04/15/6http://www.openwall.com/lists/oss-security/2020/04/20/1https://github.com/git/git/commit/9a6bbee8006c24b46a85d29e7b38cfa79e9ab21bhttps://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4qhttps://lists.debian.org/debian-lts-announce/2020/04/msg00010.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/74Q7WVJ6FKLIN62VS2JD2XCNWK5TNKOW/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7TVS5UG6JD3MYIGSBKMIOS6AF7CR5IPI/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MOCTR2SEHCPSCOVUQJAGFPGKFMI2VE6V/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PN3FUOXKX3AXTULYV53ACABER2W2FSOU/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XPCEOIFLLEF24L6GLVJVFZX4CREDEHDF/https://lore.kernel.org/git/xmqqy2qy7xn8.fsf%40gitster.c.googlers.com/https://security.gentoo.org/glsa/202004-13https://support.apple.com/kb/HT211141https://usn.ubuntu.com/4329-1/https://www.debian.org/security/2020/dsa-4657http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00027.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.htmlhttp://packetstormsecurity.com/files/157250/Git-Credential-Helper-Protocol-Newline-Injection.htmlhttp://www.openwall.com/lists/oss-security/2020/04/15/5http://www.openwall.com/lists/oss-security/2020/04/15/6http://www.openwall.com/lists/oss-security/2020/04/20/1https://github.com/git/git/commit/9a6bbee8006c24b46a85d29e7b38cfa79e9ab21bhttps://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4qhttps://lists.debian.org/debian-lts-announce/2020/04/msg00010.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/74Q7WVJ6FKLIN62VS2JD2XCNWK5TNKOW/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7TVS5UG6JD3MYIGSBKMIOS6AF7CR5IPI/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MOCTR2SEHCPSCOVUQJAGFPGKFMI2VE6V/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PN3FUOXKX3AXTULYV53ACABER2W2FSOU/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XPCEOIFLLEF24L6GLVJVFZX4CREDEHDF/https://lore.kernel.org/git/xmqqy2qy7xn8.fsf%40gitster.c.googlers.com/https://security.gentoo.org/glsa/202004-13https://support.apple.com/kb/HT211141https://usn.ubuntu.com/4329-1/https://www.debian.org/security/2020/dsa-4657
2020-04-14
Published