View | Details | Raw Unified | Return to bug 245821
Collapse All | Expand All

(-)vuln.xml (+67 lines)
Line 60 Link Here
61 
  <vuln vid="ced2d47e-8469-11ea-a283-b42e99a1b9c3">
62 
    <topic>malicious URLs may present credentials to wrong server</topic>
63 
    <affects>
64 
      <package>
65 
	<name>git</name>
66 
	<range><ge>2.26.0</ge><lt>2.26.1</lt></range>
67 
	<range><ge>2.25.0</ge><lt>2.25.3</lt></range>
68 
	<range><ge>2.24.0</ge><lt>2.24.2</lt></range>
69 
	<range><ge>2.23.0</ge><lt>2.23.2</lt></range>
70 
	<range><ge>2.22.0</ge><lt>2.22.3</lt></range>
71 
	<range><ge>2.21.0</ge><lt>2.21.2</lt></range>
72 
	<range><ge>2.20.0</ge><lt>2.20.3</lt></range>
73 
	<range><ge>2.19.0</ge><lt>2.19.4</lt></range>
74 
	<range><ge>2.18.0</ge><lt>2.18.3</lt></range>
75 
	<range><ge>0</ge><lt>2.17.4</lt></range>
76 
      </package>
77 
      <package>
78 
	<name>git-lite</name>
79 
	<range><ge>2.26.0</ge><lt>2.26.1</lt></range>
80 
	<range><ge>2.25.0</ge><lt>2.25.3</lt></range>
81 
	<range><ge>2.24.0</ge><lt>2.24.2</lt></range>
82 
	<range><ge>2.23.0</ge><lt>2.23.2</lt></range>
83 
	<range><ge>2.22.0</ge><lt>2.22.3</lt></range>
84 
	<range><ge>2.21.0</ge><lt>2.21.2</lt></range>
85 
	<range><ge>2.20.0</ge><lt>2.20.3</lt></range>
86 
	<range><ge>2.19.0</ge><lt>2.19.4</lt></range>
87 
	<range><ge>2.18.0</ge><lt>2.18.3</lt></range>
88 
	<range><ge>0</ge><lt>2.17.4</lt></range>
89 
      </package>
90 
      <package>
91 
	<name>git-gui</name>
92 
	<range><ge>2.26.0</ge><lt>2.26.1</lt></range>
93 
	<range><ge>2.25.0</ge><lt>2.25.3</lt></range>
94 
	<range><ge>2.24.0</ge><lt>2.24.2</lt></range>
95 
	<range><ge>2.23.0</ge><lt>2.23.2</lt></range>
96 
	<range><ge>2.22.0</ge><lt>2.22.3</lt></range>
97 
	<range><ge>2.21.0</ge><lt>2.21.2</lt></range>
98 
	<range><ge>2.20.0</ge><lt>2.20.3</lt></range>
99 
	<range><ge>2.19.0</ge><lt>2.19.4</lt></range>
100 
	<range><ge>2.18.0</ge><lt>2.18.3</lt></range>
101 
	<range><ge>0</ge><lt>2.17.4</lt></range>
102 
      </package>
103 
    </affects>
104 
    <description>
105 
      <body xmlns="http://www.w3.org/1999/xhtml">
106 
	<p>git security advisory reports:</p>
107 
	<blockquote cite="https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q">
108 
	  <p>Git uses external "credential helper" programs to store and retrieve passwords or
109 
	  other credentials from secure storage provided by the operating system.
110 
	  Specially-crafted URLs that contain an encoded newline can inject unintended values
111 
	  into the credential helper protocol stream, causing the credential helper to retrieve
112 
	  the password for one server for an HTTP request being made to another
113 
	  server, resulting in credentials for the former being sent to the
114 
	  latter.</p>
115 
	</blockquote>
116 
      </body>
117 
    </description>
118 
    <references>
119 
      <url>https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q</url>
120 
      <cvename>CVE-2020-5260</cvename>
121 
    </references>
122 
    <dates>
123 
      <discovery>2020-04-14</discovery>
124 
      <entry>2020-04-22</entry>
125 
    </dates>
126 
  </vuln>
127 

            






  

  Return to bug 245821