git: Crafted URL containing new lines, empty host or lacks a scheme can cause credential leak (CVE-2020-11008)
The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. This bug is similar to the one mentioned in CVE-2020-5260. The fix for that bug still left the door open for an exploit where some credential is leaked (but the attacker cannot control which one). The root of the problem is in Git itself, which should not be feeding blank input to helpers. However, the ability to exploit the vulnerability in practice depends on which helpers are in use.
Affected versions
git <= 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1
Fixed In Version:
git 2.17.5, 2.18.4, 2.19.5, 2.20.4, 2.21.3, 2.22.4, 2.23.3, 2.24.3, 2.25.4, 2.26.2
References:
- https://github.com/git/git/security/advisories/GHSA-hjc9-x69f-jqj7
- https://lore.kernel.org/git/xmqq4kterq5s.fsf@gitster.c.googlers.com/