FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

malicious URLs may present credentials to wrong server

Affected packages
2.26.0 <= git < 2.26.1
2.25.0 <= git < 2.25.3
2.24.0 <= git < 2.24.2
2.23.0 <= git < 2.23.2
2.22.0 <= git < 2.22.3
2.21.0 <= git < 2.21.2
2.20.0 <= git < 2.20.3
2.19.0 <= git < 2.19.4
2.18.0 <= git < 2.18.3
0 <= git < 2.17.4
2.26.0 <= git-lite < 2.26.1
2.25.0 <= git-lite < 2.25.3
2.24.0 <= git-lite < 2.24.2
2.23.0 <= git-lite < 2.23.2
2.22.0 <= git-lite < 2.22.3
2.21.0 <= git-lite < 2.21.2
2.20.0 <= git-lite < 2.20.3
2.19.0 <= git-lite < 2.19.4
2.18.0 <= git-lite < 2.18.3
0 <= git-lite < 2.17.4
2.26.0 <= git-gui < 2.26.1
2.25.0 <= git-gui < 2.25.3
2.24.0 <= git-gui < 2.24.2
2.23.0 <= git-gui < 2.23.2
2.22.0 <= git-gui < 2.22.3
2.21.0 <= git-gui < 2.21.2
2.20.0 <= git-gui < 2.20.3
2.19.0 <= git-gui < 2.19.4
2.18.0 <= git-gui < 2.18.3
0 <= git-gui < 2.17.4

Details

VuXML ID ced2d47e-8469-11ea-a283-b42e99a1b9c3
Discovery 2020-04-14
Entry 2020-04-22

git security advisory reports:

Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server for an HTTP request being made to another server, resulting in credentials for the former being sent to the latter.

References

CVE Name CVE-2020-5260
URL https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q