CVE-2020-5260

🗓️ 14 Apr 2020 22:50:12Reported by GitHub_MType

cve🔗 web.nvd.nist.gov📰️ 3 Media mentions👁 473 Views🌐 WEB

Git vulnerability allows credential leakage to attacker controlled hos

Reporter	Title	Published	Views	Family All 215
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM API Connect	15 Mar 202500:18	–	ibm
ALT Linux	Security fix for the ALT Linux 10 package git version 2.25.3-alt1	18 Mar 202000:00	–	altlinux
ALT Linux	Security fix for the ALT Linux 9 package git version 2.25.3-alt1	15 Apr 202000:00	–	altlinux
GithubExploit	Exploit for Insufficiently Protected Credentials in Git	15 Apr 202010:16	–	githubexploit
GithubExploit	Exploit for Insufficiently Protected Credentials in Git	16 Apr 202016:19	–	githubexploit
ATTACKERKB	CVE-2020-5260	14 Apr 202000:00	–	attackerkb
Tenable Nessus	Amazon Linux 2023 : git, git-all, git-core (ALAS2023-2025-815)	24 Jan 202500:00	–	nessus
Tenable Nessus	Amazon Linux 2 : git (ALAS-2020-1409)	16 Apr 202000:00	–	nessus
Tenable Nessus	Amazon Linux 2 : git (ALAS-2025-2737)	24 Jan 202500:00	–	nessus
Tenable Nessus	Amazon Linux AMI : git (ALAS-2020-1357)	17 Apr 202000:00	–	nessus

NVD

Vulners

Node

git gitRange<2.17.4

git gitRange2.22.0–2.22.3

git-scm gitRange2.18.0–2.18.3

git-scm gitRange2.19.0–2.19.4

git-scm gitRange2.20.0–2.20.3

git-scm gitRange2.21.0–2.21.2

git-scm gitRange2.23.0–2.23.2

git-scm gitRange2.24.0–2.24.2

git-scm gitRange2.25.0–2.25.3

git-scm gitRange2.26.0–2.26.1

Node

canonical ubuntu_linuxMatch16.04lts

canonical ubuntu_linuxMatch18.04lts

canonical ubuntu_linuxMatch19.10

debian debian_linuxMatch8.0

debian debian_linuxMatch9.0

debian debian_linuxMatch10.0

fedoraproject fedoraMatch30

fedoraproject fedoraMatch31

fedoraproject fedoraMatch32

opensuse leapMatch15.1

[
  {
    "product": "git",
    "vendor": "git",
    "versions": [
      {
        "status": "affected",
        "version": "< 2.17.4"
      },
      {
        "status": "affected",
        "version": ">= 2.18.0, < 2.18.3"
      },
      {
        "status": "affected",
        "version": ">= 2.19.0, 2.19.4"
      },
      {
        "status": "affected",
        "version": ">= 2.20.0, < 2.20.3"
      },
      {
        "status": "affected",
        "version": ">= 2.21.0, < 2.21.2"
      },
      {
        "status": "affected",
        "version": ">= 2.22.0, < 2.22.3"
      },
      {
        "status": "affected",
        "version": ">= 2.23.0, < 2.23.2"
      },
      {
        "status": "affected",
        "version": ">= 2.24.0, < 2.24.2"
      },
      {
        "status": "affected",
        "version": ">= 2.25.0, < 2.25.3"
      },
      {
        "status": "affected",
        "version": ">= 2.26.0, < 2.26.1"
      }
    ]
  }
]

Source	Link
lists	www.lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7TVS5UG6JD3MYIGSBKMIOS6AF7CR5IPI/
packetstormsecurity	www.packetstormsecurity.com/files/157250/Git-Credential-Helper-Protocol-Newline-Injection.html
openwall	www.openwall.com/lists/oss-security/2020/04/15/5
lists	www.lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html
openwall	www.openwall.com/lists/oss-security/2020/04/20/1
security	www.security.gentoo.org/glsa/202004-13
openwall	www.openwall.com/lists/oss-security/2020/04/15/6
lists	www.lists.opensuse.org/opensuse-security-announce/2020-04/msg00027.html
lists	www.lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MOCTR2SEHCPSCOVUQJAGFPGKFMI2VE6V/
usn	www.usn.ubuntu.com/4329-1/

Parameter	Position	Path	Description	CWE
host	path	/%0ahost=github.com%0aprotocol=https	Credential leakage via newline-encoded URL causing credentials for one host to be sent to another during Git operations.	CWE-522, CWE-20
protocol	path	/%0ahost=github.com%0aprotocol=https	Credential leakage via newline-encoded URL causing credentials for one host to be sent to another during Git operations.	CWE-522, CWE-20

21 Nov 2024 05:33Current

7.2High risk

Vulners AI Score7.2

CVSS 25

CVSS 3.17.5 - 9.3

EPSS0.37878