CVE-2024-50338Sensitive Information Exposure in Git-credential-manager

CWE-200Sensitive Information ExposureCWE-436Interpretation ConflictCWE-20Improper Input Validation6 documents5 sources
Severity
7.4HIGHNVD
EPSS
0.2%
top 64.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Git-ecosystem Git-credential-managerMsrc Microsoft Visual Studio 2017 Version 15.9Msrc Microsoft Visual Studio 2019 Version 16.11+4 more
Timeline
PublishedJan 14
Latest updateJan 27

Description

Git Credential Manager (GCM) is a secure Git credential helper built on .NET that runs on Windows, macOS, and Linux. The Git credential protocol is text-based over standard input/output, and consists of a series of lines of key-value pairs in the format `key=value`. Git's documentation restricts the use of the NUL (`\0`) character and newlines to form part of the keys or values. When Git reads from standard input, it considers both LF and CRLF as newline characters for the credential protocol by

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:NExploitability: 2.8 | Impact: 4.0

Affected Packages8 packages

🔴Vulnerability Details

2
GHSA
Git Credential Manager carriage-return character in remote URL allows malicious repository to leak credentials2025-01-14
OSV
Git Credential Manager carriage-return character in remote URL allows malicious repository to leak credentials2025-01-14

📋Vendor Advisories

1
Microsoft
GitHub: CVE-2024-50338 Malformed URL allows information disclosure through git-credential-manager2025-01-14

🕵️Threat Intelligence

2
Bleepingcomputer
Clone2Leak attacks exploit Git flaws to steal credentials2025-01-27
Bleepingcomputer
Microsoft January 2025 Patch Tuesday fixes 8 zero-days, 159 flaws2025-01-14