fkie_cve-2024-50338
Vulnerability from fkie_nvd
Published
2025-01-14 19:15
Modified
2025-01-14 19:15
Severity ?
7.4 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Summary
Git Credential Manager (GCM) is a secure Git credential helper built on .NET that runs on Windows, macOS, and Linux. The Git credential protocol is text-based over standard input/output, and consists of a series of lines of key-value pairs in the format `key=value`. Git's documentation restricts the use of the NUL (`\0`) character and newlines to form part of the keys or values. When Git reads from standard input, it considers both LF and CRLF as newline characters for the credential protocol by virtue of calling `strbuf_getline` that calls to `strbuf_getdelim_strip_crlf`. Git also validates that a newline is not present in the value by checking for the presence of the line-feed character (LF, `\n`), and errors if this is the case. This captures both LF and CRLF-type newlines. Git Credential Manager uses the .NET standard library `StreamReader` class to read the standard input stream line-by-line and parse the `key=value` credential protocol format. The implementation of the `ReadLineAsync` method considers LF, CRLF, and CR as valid line endings. This is means that .NET considers a single CR as a valid newline character, whereas Git does not. This mismatch of newline treatment between Git and GCM means that an attacker can craft a malicious remote URL. When a user clones or otherwise interacts with a malicious repository that requires authentication, the attacker can capture credentials for another Git remote. The attack is also heightened when cloning from repositories with submodules when using the `--recursive` clone option as the user is not able to inspect the submodule remote URLs beforehand. This issue has been patched in version 2.6.1 and all users are advised to upgrade. Users unable to upgrade should only interact with trusted remote repositories, and not clone with `--recursive` to allow inspection of any submodule URLs before cloning those submodules.
References
security-advisories@github.comhttps://git-scm.com/docs/git-credential#IOFMT
security-advisories@github.comhttps://github.com/dotnet/runtime/blob/e476b43b5cb42eb44ce23b1c7b793aa361624cf6/src/libraries/System.Private.CoreLib/src/System/IO/StreamReader.cs#L926
security-advisories@github.comhttps://github.com/git-ecosystem/git-credential-manager/blob/ae009e11a0fbef804ad9f78816d84a0bc7e052fe/src/shared/Core/StreamExtensions.cs#L138-L141
security-advisories@github.comhttps://github.com/git-ecosystem/git-credential-manager/compare/749e287571c78a2b61f926ccce6a707050871ab8...99e2f7f60e7364fe807e7925f361a81f3c47bd1b
security-advisories@github.comhttps://github.com/git-ecosystem/git-credential-manager/releases/tag/v2.6.1
security-advisories@github.comhttps://github.com/git-ecosystem/git-credential-manager/security/advisories/GHSA-86c2-4x57-wc8g
security-advisories@github.comhttps://github.com/git/git/blob/6a11438f43469f3815f2f0fc997bd45792ff04c0/credential.c#L311
security-advisories@github.comhttps://learn.microsoft.com/en-us/dotnet/api/system.io.streamreader?view=net-8.0
Impacted products
Vendor Product Version


To clipboard 

{
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "Git Credential Manager (GCM) is a secure Git credential helper built on .NET that runs on Windows, macOS, and Linux. The Git credential protocol is text-based over standard input/output, and consists of a series of lines of key-value pairs in the format `key=value`. Git's documentation restricts the use of the NUL (`\\0`) character and newlines to form part of the keys or values. When Git reads from standard input, it considers both LF and CRLF as newline characters for the credential protocol by virtue of calling `strbuf_getline` that calls to `strbuf_getdelim_strip_crlf`. Git also validates that a newline is not present in the value by checking for the presence of the line-feed character (LF, `\\n`), and errors if this is the case. This captures both LF and CRLF-type newlines. Git Credential Manager uses the .NET standard library `StreamReader` class to read the standard input stream line-by-line and parse the `key=value` credential protocol format. The implementation of the `ReadLineAsync` method considers LF, CRLF, and CR as valid line endings. This is means that .NET considers a single CR as a valid newline character, whereas Git does not. This mismatch of newline treatment between Git and GCM means that an attacker can craft a malicious remote URL. When a user clones or otherwise interacts with a malicious repository that requires authentication, the attacker can capture credentials for another Git remote. The attack is also heightened when cloning from repositories with submodules when using the `--recursive` clone option as the user is not able to inspect the submodule remote URLs beforehand. This issue has been patched in version 2.6.1 and all users are advised to upgrade. Users unable to upgrade should only interact with trusted remote repositories, and not clone with `--recursive` to allow inspection of any submodule URLs before cloning those submodules.",
      },
      {
         lang: "es",
         value: "Git Credential Manager (GCM) es un asistente seguro de credenciales de Git creado en .NET que se ejecuta en Windows, macOS y Linux. El protocolo de credenciales de Git se basa en texto sobre entrada/salida estándar y consta de una serie de líneas de pares clave-valor en el formato `clave=valor`. La documentación de Git restringe el uso del carácter NUL (`\\0`) y las nuevas líneas para formar parte de las claves o valores. Cuando Git lee desde la entrada estándar, considera tanto LF como CRLF como caracteres de nueva línea para el protocolo de credenciales en virtud de la llamada a `strbuf_getline` que llama a `strbuf_getdelim_strip_crlf`. Git también valida que no haya una nueva línea presente en el valor al verificar la presencia del carácter de avance de línea (LF, `\\n`) y genera errores si este es el caso. Esto captura las nuevas líneas de tipo LF y CRLF. Git Credential Manager utiliza la clase `StreamReader` Librería estándar .NET para leer el flujo de entrada estándar línea por línea y analizar el formato del protocolo de credenciales `key=value`. La implementación del método `ReadLineAsync` considera LF, CRLF y CR como finales de línea válidos. Esto significa que .NET considera un solo CR como un carácter de nueva línea válido, mientras que Git no lo hace. Esta falta de coincidencia en el tratamiento de las nuevas líneas entre Git y GCM significa que un atacante puede crear una URL remota maliciosa. Cuando un usuario clona o interactúa de otro modo con un repositorio malicioso que requiere autenticación, el atacante puede capturar las credenciales de otro repositorio remoto de Git. El ataque también se intensifica cuando se clona desde repositorios con submódulos cuando se usa la opción de clonación `--recursive`, ya que el usuario no puede inspeccionar las URL remotas del submódulo de antemano. Este problema se ha corregido en la versión 2.6.1 y se recomienda a todos los usuarios que actualicen. Los usuarios que no puedan actualizar solo deben interactuar con repositorios remotos confiables y no clonar con `--recursive` para permitir la inspección de cualquier URL de submódulo antes de clonar esos submódulos.",
      },
   ],
   id: "CVE-2024-50338",
   lastModified: "2025-01-14T19:15:31.967",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 7.4,
               baseSeverity: "HIGH",
               confidentialityImpact: "HIGH",
               integrityImpact: "NONE",
               privilegesRequired: "NONE",
               scope: "CHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
               version: "3.1",
            },
            exploitabilityScore: 2.8,
            impactScore: 4,
            source: "security-advisories@github.com",
            type: "Secondary",
         },
      ],
   },
   published: "2025-01-14T19:15:31.967",
   references: [
      {
         source: "security-advisories@github.com",
         url: "https://git-scm.com/docs/git-credential#IOFMT",
      },
      {
         source: "security-advisories@github.com",
         url: "https://github.com/dotnet/runtime/blob/e476b43b5cb42eb44ce23b1c7b793aa361624cf6/src/libraries/System.Private.CoreLib/src/System/IO/StreamReader.cs#L926",
      },
      {
         source: "security-advisories@github.com",
         url: "https://github.com/git-ecosystem/git-credential-manager/blob/ae009e11a0fbef804ad9f78816d84a0bc7e052fe/src/shared/Core/StreamExtensions.cs#L138-L141",
      },
      {
         source: "security-advisories@github.com",
         url: "https://github.com/git-ecosystem/git-credential-manager/compare/749e287571c78a2b61f926ccce6a707050871ab8...99e2f7f60e7364fe807e7925f361a81f3c47bd1b",
      },
      {
         source: "security-advisories@github.com",
         url: "https://github.com/git-ecosystem/git-credential-manager/releases/tag/v2.6.1",
      },
      {
         source: "security-advisories@github.com",
         url: "https://github.com/git-ecosystem/git-credential-manager/security/advisories/GHSA-86c2-4x57-wc8g",
      },
      {
         source: "security-advisories@github.com",
         url: "https://github.com/git/git/blob/6a11438f43469f3815f2f0fc997bd45792ff04c0/credential.c#L311",
      },
      {
         source: "security-advisories@github.com",
         url: "https://learn.microsoft.com/en-us/dotnet/api/system.io.streamreader?view=net-8.0",
      },
   ],
   sourceIdentifier: "security-advisories@github.com",
   vulnStatus: "Awaiting Analysis",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-200",
            },
         ],
         source: "security-advisories@github.com",
         type: "Primary",
      },
   ],
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.