fkie_cve-2024-50338
Vulnerability from fkie_nvd
Published
2025-01-14 19:15
Modified
2025-01-14 19:15
Severity ?
7.4 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Summary
Git Credential Manager (GCM) is a secure Git credential helper built on .NET that runs on Windows, macOS, and Linux. The Git credential protocol is text-based over standard input/output, and consists of a series of lines of key-value pairs in the format `key=value`. Git's documentation restricts the use of the NUL (`\0`) character and newlines to form part of the keys or values. When Git reads from standard input, it considers both LF and CRLF as newline characters for the credential protocol by virtue of calling `strbuf_getline` that calls to `strbuf_getdelim_strip_crlf`. Git also validates that a newline is not present in the value by checking for the presence of the line-feed character (LF, `\n`), and errors if this is the case. This captures both LF and CRLF-type newlines. Git Credential Manager uses the .NET standard library `StreamReader` class to read the standard input stream line-by-line and parse the `key=value` credential protocol format. The implementation of the `ReadLineAsync` method considers LF, CRLF, and CR as valid line endings. This is means that .NET considers a single CR as a valid newline character, whereas Git does not. This mismatch of newline treatment between Git and GCM means that an attacker can craft a malicious remote URL. When a user clones or otherwise interacts with a malicious repository that requires authentication, the attacker can capture credentials for another Git remote. The attack is also heightened when cloning from repositories with submodules when using the `--recursive` clone option as the user is not able to inspect the submodule remote URLs beforehand. This issue has been patched in version 2.6.1 and all users are advised to upgrade. Users unable to upgrade should only interact with trusted remote repositories, and not clone with `--recursive` to allow inspection of any submodule URLs before cloning those submodules.
References
security-advisories@github.comhttps://git-scm.com/docs/git-credential#IOFMT
security-advisories@github.comhttps://github.com/dotnet/runtime/blob/e476b43b5cb42eb44ce23b1c7b793aa361624cf6/src/libraries/System.Private.CoreLib/src/System/IO/StreamReader.cs#L926
security-advisories@github.comhttps://github.com/git-ecosystem/git-credential-manager/blob/ae009e11a0fbef804ad9f78816d84a0bc7e052fe/src/shared/Core/StreamExtensions.cs#L138-L141
security-advisories@github.comhttps://github.com/git-ecosystem/git-credential-manager/compare/749e287571c78a2b61f926ccce6a707050871ab8...99e2f7f60e7364fe807e7925f361a81f3c47bd1b
security-advisories@github.comhttps://github.com/git-ecosystem/git-credential-manager/releases/tag/v2.6.1
security-advisories@github.comhttps://github.com/git-ecosystem/git-credential-manager/security/advisories/GHSA-86c2-4x57-wc8g
security-advisories@github.comhttps://github.com/git/git/blob/6a11438f43469f3815f2f0fc997bd45792ff04c0/credential.c#L311
security-advisories@github.comhttps://learn.microsoft.com/en-us/dotnet/api/system.io.streamreader?view=net-8.0
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Git Credential Manager (GCM) is a secure Git credential helper built on .NET that runs on Windows, macOS, and Linux. The Git credential protocol is text-based over standard input/output, and consists of a series of lines of key-value pairs in the format `key=value`. Git\u0027s documentation restricts the use of the NUL (`\\0`) character and newlines to form part of the keys or values. When Git reads from standard input, it considers both LF and CRLF as newline characters for the credential protocol by virtue of calling `strbuf_getline` that calls to `strbuf_getdelim_strip_crlf`. Git also validates that a newline is not present in the value by checking for the presence of the line-feed character (LF, `\\n`), and errors if this is the case. This captures both LF and CRLF-type newlines. Git Credential Manager uses the .NET standard library `StreamReader` class to read the standard input stream line-by-line and parse the `key=value` credential protocol format. The implementation of the `ReadLineAsync` method considers LF, CRLF, and CR as valid line endings. This is means that .NET considers a single CR as a valid newline character, whereas Git does not. This mismatch of newline treatment between Git and GCM means that an attacker can craft a malicious remote URL. When a user clones or otherwise interacts with a malicious repository that requires authentication, the attacker can capture credentials for another Git remote. The attack is also heightened when cloning from repositories with submodules when using the `--recursive` clone option as the user is not able to inspect the submodule remote URLs beforehand. This issue has been patched in version 2.6.1 and all users are advised to upgrade. Users unable to upgrade should only interact with trusted remote repositories, and not clone with `--recursive` to allow inspection of any submodule URLs before cloning those submodules."
    },
    {
      "lang": "es",
      "value": "Git Credential Manager (GCM) es un asistente seguro de credenciales de Git creado en .NET que se ejecuta en Windows, macOS y Linux. El protocolo de credenciales de Git se basa en texto sobre entrada/salida est\u00e1ndar y consta de una serie de l\u00edneas de pares clave-valor en el formato `clave=valor`. La documentaci\u00f3n de Git restringe el uso del car\u00e1cter NUL (`\\0`) y las nuevas l\u00edneas para formar parte de las claves o valores. Cuando Git lee desde la entrada est\u00e1ndar, considera tanto LF como CRLF como caracteres de nueva l\u00ednea para el protocolo de credenciales en virtud de la llamada a `strbuf_getline` que llama a `strbuf_getdelim_strip_crlf`. Git tambi\u00e9n valida que no haya una nueva l\u00ednea presente en el valor al verificar la presencia del car\u00e1cter de avance de l\u00ednea (LF, `\\n`) y genera errores si este es el caso. Esto captura las nuevas l\u00edneas de tipo LF y CRLF. Git Credential Manager utiliza la clase `StreamReader` Librer\u00eda est\u00e1ndar .NET para leer el flujo de entrada est\u00e1ndar l\u00ednea por l\u00ednea y analizar el formato del protocolo de credenciales `key=value`. La implementaci\u00f3n del m\u00e9todo `ReadLineAsync` considera LF, CRLF y CR como finales de l\u00ednea v\u00e1lidos. Esto significa que .NET considera un solo CR como un car\u00e1cter de nueva l\u00ednea v\u00e1lido, mientras que Git no lo hace. Esta falta de coincidencia en el tratamiento de las nuevas l\u00edneas entre Git y GCM significa que un atacante puede crear una URL remota maliciosa. Cuando un usuario clona o interact\u00faa de otro modo con un repositorio malicioso que requiere autenticaci\u00f3n, el atacante puede capturar las credenciales de otro repositorio remoto de Git. El ataque tambi\u00e9n se intensifica cuando se clona desde repositorios con subm\u00f3dulos cuando se usa la opci\u00f3n de clonaci\u00f3n `--recursive`, ya que el usuario no puede inspeccionar las URL remotas del subm\u00f3dulo de antemano. Este problema se ha corregido en la versi\u00f3n 2.6.1 y se recomienda a todos los usuarios que actualicen. Los usuarios que no puedan actualizar solo deben interactuar con repositorios remotos confiables y no clonar con `--recursive` para permitir la inspecci\u00f3n de cualquier URL de subm\u00f3dulo antes de clonar esos subm\u00f3dulos."
    }
  ],
  "id": "CVE-2024-50338",
  "lastModified": "2025-01-14T19:15:31.967",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.4,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 4.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-01-14T19:15:31.967",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://git-scm.com/docs/git-credential#IOFMT"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/dotnet/runtime/blob/e476b43b5cb42eb44ce23b1c7b793aa361624cf6/src/libraries/System.Private.CoreLib/src/System/IO/StreamReader.cs#L926"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/git-ecosystem/git-credential-manager/blob/ae009e11a0fbef804ad9f78816d84a0bc7e052fe/src/shared/Core/StreamExtensions.cs#L138-L141"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/git-ecosystem/git-credential-manager/compare/749e287571c78a2b61f926ccce6a707050871ab8...99e2f7f60e7364fe807e7925f361a81f3c47bd1b"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/git-ecosystem/git-credential-manager/releases/tag/v2.6.1"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/git-ecosystem/git-credential-manager/security/advisories/GHSA-86c2-4x57-wc8g"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/git/git/blob/6a11438f43469f3815f2f0fc997bd45792ff04c0/credential.c#L311"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://learn.microsoft.com/en-us/dotnet/api/system.io.streamreader?view=net-8.0"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.