VuXML: malicious URLs can cause git to send a stored credential to wrong server

malicious URLs can cause git to send a stored credential to wrong server

Affected packages
2.26.0	<=	git	<	2.26.2
2.25.0	<=	git	<	2.25.4
2.24.0	<=	git	<	2.24.3
2.23.0	<=	git	<	2.23.3
2.22.0	<=	git	<	2.22.4
2.21.0	<=	git	<	2.21.3
2.20.0	<=	git	<	2.20.4
2.19.0	<=	git	<	2.19.5
2.18.0	<=	git	<	2.18.4
0	<=	git	<	2.17.5
2.26.0	<=	git-lite	<	2.26.2
2.25.0	<=	git-lite	<	2.25.4
2.24.0	<=	git-lite	<	2.24.3
2.23.0	<=	git-lite	<	2.23.3
2.22.0	<=	git-lite	<	2.22.4
2.21.0	<=	git-lite	<	2.21.3
2.20.0	<=	git-lite	<	2.20.4
2.19.0	<=	git-lite	<	2.19.5
2.18.0	<=	git-lite	<	2.18.4
0	<=	git-lite	<	2.17.5
2.26.0	<=	git-gui	<	2.26.2
2.25.0	<=	git-gui	<	2.25.4
2.24.0	<=	git-gui	<	2.24.3
2.23.0	<=	git-gui	<	2.23.3
2.22.0	<=	git-gui	<	2.22.4
2.21.0	<=	git-gui	<	2.21.3
2.20.0	<=	git-gui	<	2.20.4
2.19.0	<=	git-gui	<	2.19.5
2.18.0	<=	git-gui	<	2.18.4
0	<=	git-gui	<	2.17.5

Details

VuXML ID	67765237-8470-11ea-a283-b42e99a1b9c3
Discovery	2020-04-20
Entry	2020-04-22

VuXML ID

67765237-8470-11ea-a283-b42e99a1b9c3

Discovery

2020-04-20

Entry

2020-04-22

git security advisory reports:

Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that are considered illegal as of the recently published Git versions can cause Git to send a "blank" pattern to helpers, missing hostname and protocol fields. Many helpers will interpret this as matching any URL, and will return some unspecified stored password, leaking the password to an attacker's server.

[source]

CVE Name	CVE-2020-11008
URL	https://github.com/git/git/security/advisories/GHSA-hjc9-x69f-jqj7

malicious URLs can cause git to send a stored credential to wrong server

Details

References