AI description
CVE-2024-50338 is a vulnerability in the Git Credential Manager (GCM) that could allow credentials to be leaked. A specially crafted URL containing a carriage return character ("\r") can cause the GCM to send credentials to an unintended host. This is due to how the GCM interprets the carriage return character within the URL. The vulnerability affects the Git Credential Manager (GCM) across different platforms. The GCM is a tool that securely stores and manages Git credentials. By exploiting this vulnerability, an attacker could potentially gain unauthorized access to a user's Git credentials.
- Description
- Git Credential Manager (GCM) is a secure Git credential helper built on .NET that runs on Windows, macOS, and Linux. The Git credential protocol is text-based over standard input/output, and consists of a series of lines of key-value pairs in the format `key=value`. Git's documentation restricts the use of the NUL (`\0`) character and newlines to form part of the keys or values. When Git reads from standard input, it considers both LF and CRLF as newline characters for the credential protocol by virtue of calling `strbuf_getline` that calls to `strbuf_getdelim_strip_crlf`. Git also validates that a newline is not present in the value by checking for the presence of the line-feed character (LF, `\n`), and errors if this is the case. This captures both LF and CRLF-type newlines. Git Credential Manager uses the .NET standard library `StreamReader` class to read the standard input stream line-by-line and parse the `key=value` credential protocol format. The implementation of the `ReadLineAsync` method considers LF, CRLF, and CR as valid line endings. This is means that .NET considers a single CR as a valid newline character, whereas Git does not. This mismatch of newline treatment between Git and GCM means that an attacker can craft a malicious remote URL. When a user clones or otherwise interacts with a malicious repository that requires authentication, the attacker can capture credentials for another Git remote. The attack is also heightened when cloning from repositories with submodules when using the `--recursive` clone option as the user is not able to inspect the submodule remote URLs beforehand. This issue has been patched in version 2.6.1 and all users are advised to upgrade. Users unable to upgrade should only interact with trusted remote repositories, and not clone with `--recursive` to allow inspection of any submodule URLs before cloning those submodules.
- Source
- security-advisories@github.com
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 7.4
- Impact score
- 4
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
- Severity
- HIGH
- security-advisories@github.com
- CWE-200
- Hype score
- Not currently trending
🚨 Alert — GitHub Desktop & GitHub projects have critical vulnerabilities that can expose your credentials to attackers. 🔑 CVE-2024-53263 – Git LFS leaks credentials via crafted URLs. ⚡ CVE-2024-50338 – GitHub CLI sends tokens to attacker-controlled hosts. Attackers can us
@TheHackersNews
27 Jan 2025
23775 Impressions
103 Retweets
214 Likes
39 Bookmarks
6 Replies
6 Quotes
Do you know who to contact to update the page https://t.co/AamYe2oZF4 ? It is still pointing the old version v2.47.1 instead of the latest version v2.47.1.2 More info: CVE-2024-50338 https://t.co/40fZx8XrdF cc @chacon @GitForWindows @msftsecresponse https://t.co/zKMxLu0WFz
@SoftyJourney
15 Jan 2025
3 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-50338 seems to be an interesting one, it was assigned around 2024-10-22 but only made public on 2025-01-14. "Carriage-return character in remote URL allows malicious repository to leak credentials" https://t.co/40fZx8XrdF => Time to update "Git for Windows" to v2.47.1
@SoftyJourney
14 Jan 2025
76 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes