--- vuln2.xml Wed Apr 22 15:07:39 2020 +++ vuln.xml Wed Apr 22 15:08:54 2020 @@ -60,0 +61,66 @@ + + malicious URLs can cause git to send a stored credential to wrong server + + + git + 2.26.02.26.2 + 2.25.02.25.4 + 2.24.02.24.3 + 2.23.02.23.3 + 2.22.02.22.4 + 2.21.02.21.3 + 2.20.02.20.4 + 2.19.02.19.5 + 2.18.02.18.4 + 02.17.5 + + + git-lite + 2.26.02.26.2 + 2.25.02.25.4 + 2.24.02.24.3 + 2.23.02.23.3 + 2.22.02.22.4 + 2.21.02.21.3 + 2.20.02.20.4 + 2.19.02.19.5 + 2.18.02.18.4 + 02.17.5 + + + git-gui + 2.26.02.26.2 + 2.25.02.25.4 + 2.24.02.24.3 + 2.23.02.23.3 + 2.22.02.22.4 + 2.21.02.21.3 + 2.20.02.20.4 + 2.19.02.19.5 + 2.18.02.18.4 + 02.17.5 + + + + +

git security advisory reports:

+
+

Git uses external "credential helper" programs to store and retrieve passwords or + other credentials from secure storage provided by the operating system. Specially-crafted + URLs that are considered illegal as of the recently published Git versions can cause Git + to send a "blank" pattern to helpers, missing hostname and protocol fields. Many helpers + will interpret this as matching any URL, and will return some unspecified stored password, + leaking the password to an attacker's server.

+
+ + + + https://github.com/git/git/security/advisories/GHSA-hjc9-x69f-jqj7 + CVE-2020-11008 + + + 2020-04-20 + 2020-04-22 + + +