View | Details | Raw Unified | Return to bug 245822
Collapse All | Expand All

(-)vuln.xml (+66 lines)
Line 60 Link Here
61 
  <vuln vid="67765237-8470-11ea-a283-b42e99a1b9c3">
62 
    <topic>malicious URLs can cause git to send a stored credential to wrong server</topic>
63 
    <affects>
64 
      <package>
65 
	<name>git</name>
66 
	<range><ge>2.26.0</ge><lt>2.26.2</lt></range>
67 
	<range><ge>2.25.0</ge><lt>2.25.4</lt></range>
68 
	<range><ge>2.24.0</ge><lt>2.24.3</lt></range>
69 
	<range><ge>2.23.0</ge><lt>2.23.3</lt></range>
70 
	<range><ge>2.22.0</ge><lt>2.22.4</lt></range>
71 
	<range><ge>2.21.0</ge><lt>2.21.3</lt></range>
72 
	<range><ge>2.20.0</ge><lt>2.20.4</lt></range>
73 
	<range><ge>2.19.0</ge><lt>2.19.5</lt></range>
74 
	<range><ge>2.18.0</ge><lt>2.18.4</lt></range>
75 
	<range><ge>0</ge><lt>2.17.5</lt></range>
76 
      </package>
77 
      <package>
78 
	<name>git-lite</name>
79 
	<range><ge>2.26.0</ge><lt>2.26.2</lt></range>
80 
	<range><ge>2.25.0</ge><lt>2.25.4</lt></range>
81 
	<range><ge>2.24.0</ge><lt>2.24.3</lt></range>
82 
	<range><ge>2.23.0</ge><lt>2.23.3</lt></range>
83 
	<range><ge>2.22.0</ge><lt>2.22.4</lt></range>
84 
	<range><ge>2.21.0</ge><lt>2.21.3</lt></range>
85 
	<range><ge>2.20.0</ge><lt>2.20.4</lt></range>
86 
	<range><ge>2.19.0</ge><lt>2.19.5</lt></range>
87 
	<range><ge>2.18.0</ge><lt>2.18.4</lt></range>
88 
	<range><ge>0</ge><lt>2.17.5</lt></range>
89 
      </package>
90 
      <package>
91 
	<name>git-gui</name>
92 
	<range><ge>2.26.0</ge><lt>2.26.2</lt></range>
93 
	<range><ge>2.25.0</ge><lt>2.25.4</lt></range>
94 
	<range><ge>2.24.0</ge><lt>2.24.3</lt></range>
95 
	<range><ge>2.23.0</ge><lt>2.23.3</lt></range>
96 
	<range><ge>2.22.0</ge><lt>2.22.4</lt></range>
97 
	<range><ge>2.21.0</ge><lt>2.21.3</lt></range>
98 
	<range><ge>2.20.0</ge><lt>2.20.4</lt></range>
99 
	<range><ge>2.19.0</ge><lt>2.19.5</lt></range>
100 
	<range><ge>2.18.0</ge><lt>2.18.4</lt></range>
101 
	<range><ge>0</ge><lt>2.17.5</lt></range>
102 
      </package>
103 
    </affects>
104 
    <description>
105 
      <body xmlns="http://www.w3.org/1999/xhtml">
106 
	<p>git security advisory reports:</p>
107 
	<blockquote cite="https://github.com/git/git/security/advisories/GHSA-hjc9-x69f-jqj7">
108 
	  <p>Git uses external "credential helper" programs to store and retrieve passwords or
109 
	  other credentials from secure storage provided by the operating system. Specially-crafted
110 
	  URLs that are considered illegal as of the recently published Git versions can cause Git
111 
	  to send a "blank" pattern to helpers, missing hostname and protocol fields. Many helpers
112 
	  will interpret this as matching any URL, and will return some unspecified stored password,
113 
	  leaking the password to an attacker's server.</p>
114 
	</blockquote>
115 
      </body>
116 
    </description>
117 
    <references>
118 
      <url>https://github.com/git/git/security/advisories/GHSA-hjc9-x69f-jqj7</url>
119 
      <cvename>CVE-2020-11008</cvename>
120 
    </references>
121 
    <dates>
122 
      <discovery>2020-04-20</discovery>
123 
      <entry>2020-04-22</entry>
124 
    </dates>
125 
  </vuln>
126 

            






  

  Return to bug 245822