AI description
CVE-2024-53263 is a vulnerability found in Git Large File Storage (LFS), a Git extension used for managing large files within repositories. The vulnerability stems from how Git LFS handles URLs when requesting credentials. Specifically, it fails to check for embedded line-ending control characters (like line feed or carriage return) in the URLs passed to the `git-credential` command. This oversight allows attackers to craft malicious URLs containing these encoded control characters. When Git LFS subsequently sends credentials received from the helper back to the remote host, these manipulated URLs can enable an attacker to capture the user's Git credentials. Git LFS versions prior to v3.6.1 are susceptible to this vulnerability. Users are strongly encouraged to upgrade to the patched version (v3.6.1) to mitigate the risk of credential theft. Currently, there are no known workarounds for this vulnerability other than updating to the latest version. This vulnerability allows attackers to potentially gain unauthorized access to sensitive data and disrupt services that rely on Git LFS for file management.
- Description
- Git LFS is a Git extension for versioning large files. When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the `git-credential(1)` command without checking for embedded line-ending control characters, and then sends any credentials it receives back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker may be able to retrieve a user's Git credentials. This problem exists in all previous versions and is patched in v3.6.1. All users should upgrade to v3.6.1. There are no workarounds known at this time.
- Source
- security-advisories@github.com
- NVD status
- Awaiting Analysis
CVSS 4.0
- Type
- Secondary
- Base score
- 8.5
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- HIGH
- security-advisories@github.com
- CWE-74
- Hype score
- Not currently trending
🚨 Alert — GitHub Desktop & GitHub projects have critical vulnerabilities that can expose your credentials to attackers. 🔑 CVE-2024-53263 – Git LFS leaks credentials via crafted URLs. ⚡ CVE-2024-50338 – GitHub CLI sends tokens to attacker-controlled hosts. Attackers can us
@TheHackersNews
27 Jan 2025
23775 Impressions
103 Retweets
214 Likes
39 Bookmarks
6 Replies
6 Quotes
CVE-2024-53263 01/14/2025 08:15:28 PM BaseSeverity: HIGH Git LFS is a Git extension for versioning large files. When Git LFS requests credentials from Git for a remote host, it passes portions o... https://t.co/NxGBFTh7UZ
@CVETracker
15 Jan 2025
34 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-53263 Credential Leakage in Git LFS via URL Control Characters https://t.co/6m6ON8aRgn Customizable Vulnerability Alerts: https://t.co/U7998fz7yk
@VulmonFeeds
15 Jan 2025
24 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-53263 Git LFS is a Git extension for versioning large files. When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the `git-… https://t.co/d0wgRmMKhv
@CVEnew
14 Jan 2025
78 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes