FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

malicious URLs can cause git to send a stored credential to wrong server

Affected packages
2.26.0 <= git < 2.26.2
2.25.0 <= git < 2.25.4
2.24.0 <= git < 2.24.3
2.23.0 <= git < 2.23.3
2.22.0 <= git < 2.22.4
2.21.0 <= git < 2.21.3
2.20.0 <= git < 2.20.4
2.19.0 <= git < 2.19.5
2.18.0 <= git < 2.18.4
0 <= git < 2.17.5
2.26.0 <= git-lite < 2.26.2
2.25.0 <= git-lite < 2.25.4
2.24.0 <= git-lite < 2.24.3
2.23.0 <= git-lite < 2.23.3
2.22.0 <= git-lite < 2.22.4
2.21.0 <= git-lite < 2.21.3
2.20.0 <= git-lite < 2.20.4
2.19.0 <= git-lite < 2.19.5
2.18.0 <= git-lite < 2.18.4
0 <= git-lite < 2.17.5
2.26.0 <= git-gui < 2.26.2
2.25.0 <= git-gui < 2.25.4
2.24.0 <= git-gui < 2.24.3
2.23.0 <= git-gui < 2.23.3
2.22.0 <= git-gui < 2.22.4
2.21.0 <= git-gui < 2.21.3
2.20.0 <= git-gui < 2.20.4
2.19.0 <= git-gui < 2.19.5
2.18.0 <= git-gui < 2.18.4
0 <= git-gui < 2.17.5

Details

VuXML ID 67765237-8470-11ea-a283-b42e99a1b9c3
Discovery 2020-04-20
Entry 2020-04-22

git security advisory reports:

Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that are considered illegal as of the recently published Git versions can cause Git to send a "blank" pattern to helpers, missing hostname and protocol fields. Many helpers will interpret this as matching any URL, and will return some unspecified stored password, leaking the password to an attacker's server.

References

CVE Name CVE-2020-11008
URL https://github.com/git/git/security/advisories/GHSA-hjc9-x69f-jqj7