Credential Exposure in Git by Attacker-Controlled URLs
CVE-2024-50349

2.1LOW

Key Information:

Vendor
Git
Status
Git
Vendor
CVE Published:
14 January 2025

Summary

A vulnerability in Git allows attackers to exploit the credential prompt by using specially crafted URLs with ANSI escape sequences. When users enter credentials via the terminal without a credential helper, the hostname displayed can mislead users into providing sensitive information to an untrusted site. This flaw has been addressed in the latest Git releases, and users are strongly encouraged to update their software to avoid potential credential leaks. For those unable to upgrade, it is crucial to refrain from cloning from untrusted URLs, particularly in recursive clones.

Affected Version(s)

git <= 2.40.3 <= 2.40.3

git >= 2.41.0, <= 2.41.2 <= 2.41.0, 2.41.2

git >= 2.42.0, <= 2.42.3 <= 2.42.0, 2.42.3

References

https://github.com/git/git/security/advisories/GHSA-hmg8-...
x_refsource_CONFIRM
https://github.com/git/git/commit/7725b8100ffbbff2750ee4d...
x_refsource_MISC
https://github.com/git/git/commit/c903985bf7e772e2d08275c...
x_refsource_MISC

CVSS V4

Score:
2.1
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

.