Mageia 7: 2020-0181 Moderate: Git Credential Exposure via Malicious URLs
mageia
April 24, 2020
Updated git packages fix security vulnerability: Malicious URLs can still cause Git to send a stored credential to the wrong server (CvE-2020-111008)
Summary
Updated git packages fix security vulnerability:
Malicious URLs can still cause Git to send a stored credential to
the wrong server (CvE-2020-111008).
With a crafted URL that contains a newline or empty host, or lacks a
scheme, the credential helper machinery can be fooled into providing
credential information that is not appropriate for the protocol in
use and host being contacted.
Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the
credentials are not for a host of the attacker's choosing; instead,
they are for some unspecified host (based on how the configured
credential helper handles an absent "host" parameter).
The attack has been made impossible by refusing to work with
under-specified credential patterns.
References
- https://bugs.mageia.org/show_bug.cgi?id=26516
- https://www.openwall.com/lists/oss-security/2020/04/20/1
- https://github.com/git/git/security/advisories/GHSA-hjc9-x69f-jqj7
- https://www.cve.org/CVERecord?id=CVE-2020-11008
Topics Covered
Resolution
SRPMS
- 7/core/git-2.21.3-1.mga7
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Publication date: 24 Apr 2020
URL: https://advisories.mageia.org/MGASA-2020-0181.html
Type: security
CVE: CVE-2020-11008
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!