CVE-2020-11008

Malicious URLs can still cause Git to send a stored credential to the wrong server

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. This bug is similar to CVE-2020-5260(GHSA-qm7j-c969-7j4q). The fix for that bug still left the door open for an exploit where _some_ credential is leaked (but the attacker cannot control which one). Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that are considered illegal as of the recently published Git versions can cause Git to send a "blank" pattern to helpers, missing hostname and protocol fields. Many helpers will interpret this as matching _any_ URL, and will return some unspecified stored password, leaking the password to an attacker's server. The vulnerability can be triggered by feeding a malicious URL to `git clone`. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The root of the problem is in Git itself, which should not be feeding blank input to helpers. However, the ability to exploit the vulnerability in practice depends on which helpers are in use. Credential helpers which are known to trigger the vulnerability: - Git's "store" helper - Git's "cache" helper - the "osxkeychain" helper that ships in Git's "contrib" directory Credential helpers which are known to be safe even with vulnerable versions of Git: - Git Credential Manager for Windows Any helper not in this list should be assumed to trigger the vulnerability.

Las versiones afectadas de Git tienen una vulnerabilidad por la que Git puede ser engañado para que envíe credenciales privadas a un host controlado por un atacante. Este fallo es similar al CVE-2020-5260 (GHSA-qm7j-c969-7j4q). La corrección de ese bug todavía deja la puerta abierta para una explotación donde se filtra la credencial de _some_ (pero el atacante no puede controlar cuál). Git utiliza programas externos de "credential helper" para almacenar y recuperar contraseñas u otras credenciales desde el almacenamiento seguro proporcionado por el sistema operativo. Las URLs especialmente diseñadas que se consideran ilegales a partir de las versiones de Git recientemente publicadas pueden hacer que Git envíe un patrón "blank" a los asistentes, faltando los campos hostname y protocol. Muchos asistentes interpretarán esto como una coincidencia con la URL _any_, y devolverán alguna contraseña almacenada sin especificar, filtrando la contraseña hacia el servidor de un atacante. La vulnerabilidad puede ser desencadenada alimentando una URL maliciosa a "git clone". Sin embargo, las URLs afectadas parecen bastante sospechosas; el vector probable sería por medio de sistemas que clonan automáticamente las URLs no visibles para el usuario, tales como los submódulos de Git, o sistemas de paquetes construidos alrededor de Git. La raíz del problema está en el propio Git, que no debería estar alimentando con entradas en blanco a los asistentes. Sin embargo, la capacidad de explotar la vulnerabilidad en la práctica depende de los asistentes que se utilicen. Los asistentes con credenciales que se sabe que desencadenan la vulnerabilidad: - El asistente "store" de Git - El asistente "cache" de Git - El asistente "osxkeychain" que se incluye en los asistentes de Credenciales del directorio "contrib" de Git que se conoce que son seguros incluso con versiones vulnerables de Git: - Cualquier asistente de Git Credential Manager para Windows que no esté en esta lista, se debe asumir que desencadena la vulnerabilidad.

A flaw was found in git where credentials can be leaked through the use of a crafted URL. The crafted URL must contain a newline, empty host, or lack a scheme so that the credential helper is fulled into giving the information of a different host to the client. The highest threat from this vulnerability is to data confidentiality.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-03-30 CVE Reserved
2020-04-21 CVE Published
2024-08-04 CVE Updated
2024-08-15 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation
CWE-522: Insufficiently Protected Credentials

CAPEC

References (14)

URL	Tag	Source
http://seclists.org/fulldisclosure/2020/May/41	Mailing List
https://lists.debian.org/debian-lts-announce/2020/04/msg00015.html	Mailing List
https://support.apple.com/kb/HT211183	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC
https://github.com/git/git/commit/c44088ecc4b0722636e0a305f9608d3047197282	2023-11-07
https://github.com/git/git/security/advisories/GHSA-hjc9-x69f-jqj7	2023-11-07
https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q	2023-11-07

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/74Q7WVJ6FKLIN62VS2JD2XCNWK5TNKOW	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MOCTR2SEHCPSCOVUQJAGFPGKFMI2VE6V	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PN3FUOXKX3AXTULYV53ACABER2W2FSOU	2023-11-07
https://security.gentoo.org/glsa/202004-13	2023-11-07
https://usn.ubuntu.com/4334-1	2023-11-07
https://access.redhat.com/security/cve/CVE-2020-11008	2020-08-31
https://bugzilla.redhat.com/show_bug.cgi?id=1826001	2020-08-31

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Git-scm Search vendor "Git-scm"		Git Search vendor "Git-scm" for product "Git"				< 2.17.5 Search vendor "Git-scm" for product "Git" and version " < 2.17.5"		-		Affected
Git-scm Search vendor "Git-scm"		Git Search vendor "Git-scm" for product "Git"				>= 2.18.0 < 2.18.4 Search vendor "Git-scm" for product "Git" and version " >= 2.18.0 < 2.18.4"		-		Affected
Git-scm Search vendor "Git-scm"		Git Search vendor "Git-scm" for product "Git"				>= 2.19.0 < 2.19.5 Search vendor "Git-scm" for product "Git" and version " >= 2.19.0 < 2.19.5"		-		Affected
Git-scm Search vendor "Git-scm"		Git Search vendor "Git-scm" for product "Git"				>= 2.20.0 < 2.20.4 Search vendor "Git-scm" for product "Git" and version " >= 2.20.0 < 2.20.4"		-		Affected
Git-scm Search vendor "Git-scm"		Git Search vendor "Git-scm" for product "Git"				>= 2.21.0 < 2.21.3 Search vendor "Git-scm" for product "Git" and version " >= 2.21.0 < 2.21.3"		-		Affected
Git-scm Search vendor "Git-scm"		Git Search vendor "Git-scm" for product "Git"				>= 2.22.0 < 2.22.4 Search vendor "Git-scm" for product "Git" and version " >= 2.22.0 < 2.22.4"		-		Affected
Git-scm Search vendor "Git-scm"		Git Search vendor "Git-scm" for product "Git"				>= 2.23.0 < 2.23.3 Search vendor "Git-scm" for product "Git" and version " >= 2.23.0 < 2.23.3"		-		Affected
Git-scm Search vendor "Git-scm"		Git Search vendor "Git-scm" for product "Git"				>= 2.24.0 < 2.24.3 Search vendor "Git-scm" for product "Git" and version " >= 2.24.0 < 2.24.3"		-		Affected
Git-scm Search vendor "Git-scm"		Git Search vendor "Git-scm" for product "Git"				>= 2.25.0 < 2.25.4 Search vendor "Git-scm" for product "Git" and version " >= 2.25.0 < 2.25.4"		-		Affected
Git-scm Search vendor "Git-scm"		Git Search vendor "Git-scm" for product "Git"				>= 2.26.0 < 2.26.2 Search vendor "Git-scm" for product "Git" and version " >= 2.26.0 < 2.26.2"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				19.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "19.10"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				31 Search vendor "Fedoraproject" for product "Fedora" and version "31"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				32 Search vendor "Fedoraproject" for product "Fedora" and version "32"		-		Affected