// For flags

CVE-2020-11008

Malicious URLs can still cause Git to send a stored credential to the wrong server

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. This bug is similar to CVE-2020-5260(GHSA-qm7j-c969-7j4q). The fix for that bug still left the door open for an exploit where _some_ credential is leaked (but the attacker cannot control which one). Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that are considered illegal as of the recently published Git versions can cause Git to send a "blank" pattern to helpers, missing hostname and protocol fields. Many helpers will interpret this as matching _any_ URL, and will return some unspecified stored password, leaking the password to an attacker's server. The vulnerability can be triggered by feeding a malicious URL to `git clone`. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The root of the problem is in Git itself, which should not be feeding blank input to helpers. However, the ability to exploit the vulnerability in practice depends on which helpers are in use. Credential helpers which are known to trigger the vulnerability: - Git's "store" helper - Git's "cache" helper - the "osxkeychain" helper that ships in Git's "contrib" directory Credential helpers which are known to be safe even with vulnerable versions of Git: - Git Credential Manager for Windows Any helper not in this list should be assumed to trigger the vulnerability.

Las versiones afectadas de Git tienen una vulnerabilidad por la que Git puede ser engañado para que envíe credenciales privadas a un host controlado por un atacante. Este fallo es similar al CVE-2020-5260 (GHSA-qm7j-c969-7j4q). La corrección de ese bug todavía deja la puerta abierta para una explotación donde se filtra la credencial de _some_ (pero el atacante no puede controlar cuál). Git utiliza programas externos de "credential helper" para almacenar y recuperar contraseñas u otras credenciales desde el almacenamiento seguro proporcionado por el sistema operativo. Las URLs especialmente diseñadas que se consideran ilegales a partir de las versiones de Git recientemente publicadas pueden hacer que Git envíe un patrón "blank" a los asistentes, faltando los campos hostname y protocol. Muchos asistentes interpretarán esto como una coincidencia con la URL _any_, y devolverán alguna contraseña almacenada sin especificar, filtrando la contraseña hacia el servidor de un atacante. La vulnerabilidad puede ser desencadenada alimentando una URL maliciosa a "git clone". Sin embargo, las URLs afectadas parecen bastante sospechosas; el vector probable sería por medio de sistemas que clonan automáticamente las URLs no visibles para el usuario, tales como los submódulos de Git, o sistemas de paquetes construidos alrededor de Git. La raíz del problema está en el propio Git, que no debería estar alimentando con entradas en blanco a los asistentes. Sin embargo, la capacidad de explotar la vulnerabilidad en la práctica depende de los asistentes que se utilicen. Los asistentes con credenciales que se sabe que desencadenan la vulnerabilidad: - El asistente "store" de Git - El asistente "cache" de Git - El asistente "osxkeychain" que se incluye en los asistentes de Credenciales del directorio "contrib" de Git que se conoce que son seguros incluso con versiones vulnerables de Git: - Cualquier asistente de Git Credential Manager para Windows que no esté en esta lista, se debe asumir que desencadena la vulnerabilidad.

A flaw was found in git where credentials can be leaked through the use of a crafted URL. The crafted URL must contain a newline, empty host, or lack a scheme so that the credential helper is fulled into giving the information of a different host to the client. The highest threat from this vulnerability is to data confidentiality.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-03-30 CVE Reserved
  • 2020-04-21 CVE Published
  • 2024-08-04 CVE Updated
  • 2024-08-15 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-20: Improper Input Validation
  • CWE-522: Insufficiently Protected Credentials
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Git-scm
Search vendor "Git-scm"
Git
Search vendor "Git-scm" for product "Git"
< 2.17.5
Search vendor "Git-scm" for product "Git" and version " < 2.17.5"
-
Affected
Git-scm
Search vendor "Git-scm"
Git
Search vendor "Git-scm" for product "Git"
>= 2.18.0 < 2.18.4
Search vendor "Git-scm" for product "Git" and version " >= 2.18.0 < 2.18.4"
-
Affected
Git-scm
Search vendor "Git-scm"
Git
Search vendor "Git-scm" for product "Git"
>= 2.19.0 < 2.19.5
Search vendor "Git-scm" for product "Git" and version " >= 2.19.0 < 2.19.5"
-
Affected
Git-scm
Search vendor "Git-scm"
Git
Search vendor "Git-scm" for product "Git"
>= 2.20.0 < 2.20.4
Search vendor "Git-scm" for product "Git" and version " >= 2.20.0 < 2.20.4"
-
Affected
Git-scm
Search vendor "Git-scm"
Git
Search vendor "Git-scm" for product "Git"
>= 2.21.0 < 2.21.3
Search vendor "Git-scm" for product "Git" and version " >= 2.21.0 < 2.21.3"
-
Affected
Git-scm
Search vendor "Git-scm"
Git
Search vendor "Git-scm" for product "Git"
>= 2.22.0 < 2.22.4
Search vendor "Git-scm" for product "Git" and version " >= 2.22.0 < 2.22.4"
-
Affected
Git-scm
Search vendor "Git-scm"
Git
Search vendor "Git-scm" for product "Git"
>= 2.23.0 < 2.23.3
Search vendor "Git-scm" for product "Git" and version " >= 2.23.0 < 2.23.3"
-
Affected
Git-scm
Search vendor "Git-scm"
Git
Search vendor "Git-scm" for product "Git"
>= 2.24.0 < 2.24.3
Search vendor "Git-scm" for product "Git" and version " >= 2.24.0 < 2.24.3"
-
Affected
Git-scm
Search vendor "Git-scm"
Git
Search vendor "Git-scm" for product "Git"
>= 2.25.0 < 2.25.4
Search vendor "Git-scm" for product "Git" and version " >= 2.25.0 < 2.25.4"
-
Affected
Git-scm
Search vendor "Git-scm"
Git
Search vendor "Git-scm" for product "Git"
>= 2.26.0 < 2.26.2
Search vendor "Git-scm" for product "Git" and version " >= 2.26.0 < 2.26.2"
-
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
16.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"
lts
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
18.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04"
lts
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
19.10
Search vendor "Canonical" for product "Ubuntu Linux" and version "19.10"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
8.0
Search vendor "Debian" for product "Debian Linux" and version "8.0"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
31
Search vendor "Fedoraproject" for product "Fedora" and version "31"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
32
Search vendor "Fedoraproject" for product "Fedora" and version "32"
-
Affected