View | Details | Raw Unified | Return to bug 245822
Collapse All | Expand All

(-)vuln.xml (+66 lines)
Line 60 Link Here
61
  <vuln vid="67765237-8470-11ea-a283-b42e99a1b9c3">
62
    <topic>malicious URLs can cause git to send a stored credential to wrong server</topic>
63
    <affects>
64
      <package>
65
	<name>git</name>
66
	<range><ge>2.26.0</ge><lt>2.26.2</lt></range>
67
	<range><ge>2.25.0</ge><lt>2.25.4</lt></range>
68
	<range><ge>2.24.0</ge><lt>2.24.3</lt></range>
69
	<range><ge>2.23.0</ge><lt>2.23.3</lt></range>
70
	<range><ge>2.22.0</ge><lt>2.22.4</lt></range>
71
	<range><ge>2.21.0</ge><lt>2.21.3</lt></range>
72
	<range><ge>2.20.0</ge><lt>2.20.4</lt></range>
73
	<range><ge>2.19.0</ge><lt>2.19.5</lt></range>
74
	<range><ge>2.18.0</ge><lt>2.18.4</lt></range>
75
	<range><ge>0</ge><lt>2.17.5</lt></range>
76
      </package>
77
      <package>
78
	<name>git-lite</name>
79
	<range><ge>2.26.0</ge><lt>2.26.2</lt></range>
80
	<range><ge>2.25.0</ge><lt>2.25.4</lt></range>
81
	<range><ge>2.24.0</ge><lt>2.24.3</lt></range>
82
	<range><ge>2.23.0</ge><lt>2.23.3</lt></range>
83
	<range><ge>2.22.0</ge><lt>2.22.4</lt></range>
84
	<range><ge>2.21.0</ge><lt>2.21.3</lt></range>
85
	<range><ge>2.20.0</ge><lt>2.20.4</lt></range>
86
	<range><ge>2.19.0</ge><lt>2.19.5</lt></range>
87
	<range><ge>2.18.0</ge><lt>2.18.4</lt></range>
88
	<range><ge>0</ge><lt>2.17.5</lt></range>
89
      </package>
90
      <package>
91
	<name>git-gui</name>
92
	<range><ge>2.26.0</ge><lt>2.26.2</lt></range>
93
	<range><ge>2.25.0</ge><lt>2.25.4</lt></range>
94
	<range><ge>2.24.0</ge><lt>2.24.3</lt></range>
95
	<range><ge>2.23.0</ge><lt>2.23.3</lt></range>
96
	<range><ge>2.22.0</ge><lt>2.22.4</lt></range>
97
	<range><ge>2.21.0</ge><lt>2.21.3</lt></range>
98
	<range><ge>2.20.0</ge><lt>2.20.4</lt></range>
99
	<range><ge>2.19.0</ge><lt>2.19.5</lt></range>
100
	<range><ge>2.18.0</ge><lt>2.18.4</lt></range>
101
	<range><ge>0</ge><lt>2.17.5</lt></range>
102
      </package>
103
    </affects>
104
    <description>
105
      <body xmlns="http://www.w3.org/1999/xhtml">
106
	<p>git security advisory reports:</p>
107
	<blockquote cite="https://github.com/git/git/security/advisories/GHSA-hjc9-x69f-jqj7">
108
	  <p>Git uses external "credential helper" programs to store and retrieve passwords or
109
	  other credentials from secure storage provided by the operating system. Specially-crafted
110
	  URLs that are considered illegal as of the recently published Git versions can cause Git
111
	  to send a "blank" pattern to helpers, missing hostname and protocol fields. Many helpers
112
	  will interpret this as matching any URL, and will return some unspecified stored password,
113
	  leaking the password to an attacker's server.</p>
114
	</blockquote>
115
      </body>
116
    </description>
117
    <references>
118
      <url>https://github.com/git/git/security/advisories/GHSA-hjc9-x69f-jqj7</url>
119
      <cvename>CVE-2020-11008</cvename>
120
    </references>
121
    <dates>
122
      <discovery>2020-04-20</discovery>
123
      <entry>2020-04-22</entry>
124
    </dates>
125
  </vuln>
126

Return to bug 245822