ID CVE-2020-5260
Summary Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any host to a host of their choosing. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1.
References
Vulnerable Configurations
  • cpe:2.3:a:git:git:0.01:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:0.01:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:0.02:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:0.02:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:0.03:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:0.03:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:0.04:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:0.04:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:0.5:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:0.6:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:0.7:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:1.8.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:1.8.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:1.8.3:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:1.8.3:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:1.8.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:1.8.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:1.8.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:1.8.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:1.8.3.3:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:1.8.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:1.8.3.4:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:1.8.3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:1.8.4:-:*:*:*:*:*:*
    cpe:2.3:a:git:git:1.8.4:-:*:*:*:*:*:*
  • cpe:2.3:a:git:git:1.8.4:rc0:*:*:*:*:*:*
    cpe:2.3:a:git:git:1.8.4:rc0:*:*:*:*:*:*
  • cpe:2.3:a:git:git:1.8.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:1.8.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:1.8.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:1.8.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:1.8.4.3:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:1.8.4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:1.8.4.4:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:1.8.4.4:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:1.8.4.5:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:1.8.4.5:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:1.8.5:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:1.8.5:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:1.8.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:1.8.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:1.8.5.2:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:1.8.5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:1.8.5.3:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:1.8.5.3:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:1.8.5.4:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:1.8.5.4:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:1.8.5.5:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:1.8.5.5:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:1.8.5.6:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:1.8.5.6:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:1.9.0:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:1.9.1:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:1.9.1:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:1.9.2:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:1.9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:1.9.3:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:1.9.3:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:1.9.4:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:1.9.4:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:1.9.5:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:1.9.5:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.1.3:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.1.4:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.1.4:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.3.3:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.3.4:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.3.5:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.3.5:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.3.6:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.3.7:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.3.7:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.3.8:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.3.8:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.3.9:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.3.9:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.3.10:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.3.10:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.4.3:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.4.4:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.4.4:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.4.5:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.4.5:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.4.6:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.4.6:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.4.7:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.4.7:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.4.8:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.4.8:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.4.9:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.4.9:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.4.10:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.4.10:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.4.11:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.4.11:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.4.12:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.4.12:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.5.2:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.5.3:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.5.3:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.5.4:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.5.4:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.5.5:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.5.5:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.5.6:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.5.6:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.6.0:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.6.1:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.6.2:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.6.3:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.6.3:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.6.4:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.6.4:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.6.5:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.6.5:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.6.6:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.6.6:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.6.7:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.6.7:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.7.0:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.7.1:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.7.2:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.7.3:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.7.3:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.7.4:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.7.4:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.7.5:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.7.5:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.7.6:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.7.6:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.8.0:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.8.1:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.8.2:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.8.2:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.8.3:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.8.3:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.8.4:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.8.4:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.8.5:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.8.5:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.8.6:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.8.6:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.9.0:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.9.1:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.9.1:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.9.2:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.9.3:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.9.3:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.9.4:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.9.4:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.9.5:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.9.5:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.10.0:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.10.0:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.10.1:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.10.1:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.10.2:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.10.2:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.10.3:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.10.3:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.10.4:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.10.4:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.10.5:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.10.5:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.11.0:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.11.0:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.11.1:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.11.1:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.11.2:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.11.2:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.11.3:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.11.3:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.11.4:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.11.4:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.12.0:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.12.0:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.12.1:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.12.1:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.12.2:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.12.2:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.12.3:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.12.3:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.12.4:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.12.4:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.12.5:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.12.5:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.13.0:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.13.0:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.13.1:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.13.1:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.13.2:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.13.2:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.13.3:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.13.3:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.13.4:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.13.4:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.13.5:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.13.5:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.13.6:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.13.6:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.13.7:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.13.7:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.14.0:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.14.1:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.14.2:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.14.2:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.14.3:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.14.3:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.14.4:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.14.4:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.14.5:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.14.5:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.14.6:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.14.6:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.15.0:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.15.1:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.15.1:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.15.2:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.15.2:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.15.3:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.15.3:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.15.4:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.15.4:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.16.0:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.16.0:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.16.1:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.16.1:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.16.2:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.16.2:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.16.3:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.16.3:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.16.4:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.16.4:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.16.5:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.16.5:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.16.6:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.16.6:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.17.0:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.17.0:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.17.1:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.17.1:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.17.2:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.17.2:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.17.3:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.17.3:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.22.0:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.22.0:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.22.1:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.22.1:*:*:*:*:*:*:*
  • cpe:2.3:a:git:git:2.22.2:*:*:*:*:*:*:*
    cpe:2.3:a:git:git:2.22.2:*:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.18.0:*:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.18.0:*:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.18.0:rc0:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.18.0:rc0:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.18.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.18.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.18.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.18.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.18.1:*:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.18.1:*:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.18.2:*:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.18.2:*:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.19.0:*:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.19.0:*:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.19.0:rc0:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.19.0:rc0:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.19.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.19.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.19.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.19.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.19.1:*:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.19.1:*:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.19.2:*:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.19.2:*:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.19.3:*:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.19.3:*:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.20.0:*:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.20.0:*:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.20.0:rc0:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.20.0:rc0:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.20.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.20.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.20.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.20.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.20.1:*:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.20.1:*:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.20.2:*:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.20.2:*:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.21.0:*:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.21.0:*:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.21.0:rc0:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.21.0:rc0:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.21.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.21.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.21.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.21.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.21.1:*:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.21.1:*:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.23.0:*:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.23.0:*:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.23.1:*:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.23.1:*:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.24.0:*:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.24.0:*:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.24.1:*:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.24.1:*:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.26.0:*:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.26.0:*:*:*:*:*:*:*
  • cpe:2.3:a:git-scm:git:2.26.0:-:*:*:*:*:*:*
    cpe:2.3:a:git-scm:git:2.26.0:-:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
  • cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
    cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 19-03-2021 - 18:21)
Impact:
Exploitability:
CWE CWE-522
CAPEC
  • Use of Captured Tickets (Pass The Ticket)
    An adversary uses stolen Kerberos tickets to access systems that leverage the Kerberos authentication protocol. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. An adversary can obtain any one of these tickets (e.g. Service Ticket, Ticket Granting Ticket, Silver Ticket, or Golden Ticket) to authenticate to a system without needing the account's credentials. Depending on the ticket obtained, the adversary may be able to access a particular resource or generate TGTs for any account within an Active Directory Domain.
  • Remote Services with Stolen Credentials
    This pattern of attack involves an adversary that uses stolen credentials to leverage remote services such as RDP, telnet, SSH, and VNC to log into a system. Once access is gained, any number of malicious activities could be performed.
  • Signature Spoofing by Key Theft
    An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
  • Use of Captured Hashes (Pass The Hash)
    An adversary uses stolen hash values for a user's credentials (username and password) to access systems managed under the same credential framwork that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols. When authenticating via LM or NTLM, the hashed credentials' associated plaintext credentials are not requried for successful authentication. Therefore, if an adversary can obtain the hashed credentials of a user, he can then pass these hash values to the server or service to authenticate without needing to brute-force the hashes to obtain their cleartext values. The adversary can then impersonate the user and laterally move within the network. This technique can be performed against any operating system which leverages the LM or NTLM protocols.
  • Session Sidejacking
    Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.
  • Modify Existing Service
    When an operating system starts, it also starts programs called services or daemons. Modifying existing services may break existing services or may enable services that are disabled/not commonly used.
  • Windows Admin Shares with Stolen Credentials
    Windows systems have hidden network shares that are only accessible to administrators and allow files to be written to the local computer. Example network shares include: C$, ADMIN$ and IPC$. Adversaries may use valid administrator credentials to remotely access a network share to transfer files and execute code. It is possible for adversaries to use NTLM hashes to access administrator shares on systems with certain configuration and patch levels.
  • Password Recovery Exploitation
    An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure. Most of them use only one security question . For instance, mother's maiden name tends to be a fairly popular one. Unfortunately in many cases this information is not very hard to find, especially if the attacker knows the legitimate user. These generic security questions are also re-used across many applications, thus making them even more insecure. An attacker could for instance overhear a coworker talking to a bank representative at the work place and supplying their mother's maiden name for verification purposes. An attacker can then try to log in into one of the victim's accounts, click on "forgot password" and there is a good chance that the security question there will be to provide mother's maiden name. A weak password recovery scheme totally undermines the effectiveness of a strong password scheme.
  • Use of Known Domain Credentials
    An adversary uses stolen credentials (e.g., userid and password) to access systems managed under the same credential framework on a local network. Often, users are allowed to login to connected machines using the same password. Discovery of the password on one machine allows for lateral movement to those machines.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:N/A:N
redhat via4
advisories
  • bugzilla
    id 1822020
    title CVE-2020-5260 git: Crafted URL containing new lines can cause credential leak
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 7 is installed
        oval oval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • comment emacs-git is earlier than 0:1.8.3.1-22.el7_8
            oval oval:com.redhat.rhsa:tst:20201511001
          • comment emacs-git is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20101003002
        • AND
          • comment emacs-git-el is earlier than 0:1.8.3.1-22.el7_8
            oval oval:com.redhat.rhsa:tst:20201511003
          • comment emacs-git-el is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20101003004
        • AND
          • comment git is earlier than 0:1.8.3.1-22.el7_8
            oval oval:com.redhat.rhsa:tst:20201511005
          • comment git is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20101003006
        • AND
          • comment git-all is earlier than 0:1.8.3.1-22.el7_8
            oval oval:com.redhat.rhsa:tst:20201511007
          • comment git-all is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20101003008
        • AND
          • comment git-bzr is earlier than 0:1.8.3.1-22.el7_8
            oval oval:com.redhat.rhsa:tst:20201511009
          • comment git-bzr is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20152561010
        • AND
          • comment git-cvs is earlier than 0:1.8.3.1-22.el7_8
            oval oval:com.redhat.rhsa:tst:20201511011
          • comment git-cvs is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20101003010
        • AND
          • comment git-daemon is earlier than 0:1.8.3.1-22.el7_8
            oval oval:com.redhat.rhsa:tst:20201511013
          • comment git-daemon is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20101003012
        • AND
          • comment git-email is earlier than 0:1.8.3.1-22.el7_8
            oval oval:com.redhat.rhsa:tst:20201511015
          • comment git-email is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20101003014
        • AND
          • comment git-gnome-keyring is earlier than 0:1.8.3.1-22.el7_8
            oval oval:com.redhat.rhsa:tst:20201511017
          • comment git-gnome-keyring is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20183408018
        • AND
          • comment git-gui is earlier than 0:1.8.3.1-22.el7_8
            oval oval:com.redhat.rhsa:tst:20201511019
          • comment git-gui is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20101003016
        • AND
          • comment git-hg is earlier than 0:1.8.3.1-22.el7_8
            oval oval:com.redhat.rhsa:tst:20201511021
          • comment git-hg is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20152561020
        • AND
          • comment git-instaweb is earlier than 0:1.8.3.1-22.el7_8
            oval oval:com.redhat.rhsa:tst:20201511023
          • comment git-instaweb is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20183408024
        • AND
          • comment git-p4 is earlier than 0:1.8.3.1-22.el7_8
            oval oval:com.redhat.rhsa:tst:20201511025
          • comment git-p4 is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20152561022
        • AND
          • comment git-svn is earlier than 0:1.8.3.1-22.el7_8
            oval oval:com.redhat.rhsa:tst:20201511027
          • comment git-svn is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20101003018
        • AND
          • comment gitk is earlier than 0:1.8.3.1-22.el7_8
            oval oval:com.redhat.rhsa:tst:20201511029
          • comment gitk is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20101003020
        • AND
          • comment gitweb is earlier than 0:1.8.3.1-22.el7_8
            oval oval:com.redhat.rhsa:tst:20201511031
          • comment gitweb is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20101003022
        • AND
          • comment perl-Git is earlier than 0:1.8.3.1-22.el7_8
            oval oval:com.redhat.rhsa:tst:20201511033
          • comment perl-Git is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20101003024
        • AND
          • comment perl-Git-SVN is earlier than 0:1.8.3.1-22.el7_8
            oval oval:com.redhat.rhsa:tst:20201511035
          • comment perl-Git-SVN is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20152561032
    rhsa
    id RHSA-2020:1511
    released 2020-04-21
    severity Important
    title RHSA-2020:1511: git security update (Important)
  • bugzilla
    id 1822020
    title CVE-2020-5260 git: Crafted URL containing new lines can cause credential leak
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 8 is installed
        oval oval:com.redhat.rhba:tst:20193384074
      • OR
        • AND
          • comment git is earlier than 0:2.18.2-2.el8_1
            oval oval:com.redhat.rhsa:tst:20201513001
          • comment git is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20101003006
        • AND
          • comment git-all is earlier than 0:2.18.2-2.el8_1
            oval oval:com.redhat.rhsa:tst:20201513003
          • comment git-all is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20101003008
        • AND
          • comment git-core is earlier than 0:2.18.2-2.el8_1
            oval oval:com.redhat.rhsa:tst:20201513005
          • comment git-core is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20194356006
        • AND
          • comment git-core-doc is earlier than 0:2.18.2-2.el8_1
            oval oval:com.redhat.rhsa:tst:20201513007
          • comment git-core-doc is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20194356008
        • AND
          • comment git-daemon is earlier than 0:2.18.2-2.el8_1
            oval oval:com.redhat.rhsa:tst:20201513009
          • comment git-daemon is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20101003012
        • AND
          • comment git-debugsource is earlier than 0:2.18.2-2.el8_1
            oval oval:com.redhat.rhsa:tst:20201513011
          • comment git-debugsource is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20194356012
        • AND
          • comment git-email is earlier than 0:2.18.2-2.el8_1
            oval oval:com.redhat.rhsa:tst:20201513013
          • comment git-email is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20101003014
        • AND
          • comment git-gui is earlier than 0:2.18.2-2.el8_1
            oval oval:com.redhat.rhsa:tst:20201513015
          • comment git-gui is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20101003016
        • AND
          • comment git-instaweb is earlier than 0:2.18.2-2.el8_1
            oval oval:com.redhat.rhsa:tst:20201513017
          • comment git-instaweb is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20183408024
        • AND
          • comment git-subtree is earlier than 0:2.18.2-2.el8_1
            oval oval:com.redhat.rhsa:tst:20201513019
          • comment git-subtree is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20194356020
        • AND
          • comment git-svn is earlier than 0:2.18.2-2.el8_1
            oval oval:com.redhat.rhsa:tst:20201513021
          • comment git-svn is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20101003018
        • AND
          • comment gitk is earlier than 0:2.18.2-2.el8_1
            oval oval:com.redhat.rhsa:tst:20201513023
          • comment gitk is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20101003020
        • AND
          • comment gitweb is earlier than 0:2.18.2-2.el8_1
            oval oval:com.redhat.rhsa:tst:20201513025
          • comment gitweb is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20101003022
        • AND
          • comment perl-Git is earlier than 0:2.18.2-2.el8_1
            oval oval:com.redhat.rhsa:tst:20201513027
          • comment perl-Git is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20101003024
        • AND
          • comment perl-Git-SVN is earlier than 0:2.18.2-2.el8_1
            oval oval:com.redhat.rhsa:tst:20201513029
          • comment perl-Git-SVN is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20152561032
    rhsa
    id RHSA-2020:1513
    released 2020-04-21
    severity Important
    title RHSA-2020:1513: git security update (Important)
rpms
  • rh-git218-git-0:2.18.2-3.el7
  • rh-git218-git-all-0:2.18.2-3.el7
  • rh-git218-git-core-0:2.18.2-3.el7
  • rh-git218-git-core-doc-0:2.18.2-3.el7
  • rh-git218-git-cvs-0:2.18.2-3.el7
  • rh-git218-git-daemon-0:2.18.2-3.el7
  • rh-git218-git-debuginfo-0:2.18.2-3.el7
  • rh-git218-git-email-0:2.18.2-3.el7
  • rh-git218-git-gui-0:2.18.2-3.el7
  • rh-git218-git-instaweb-0:2.18.2-3.el7
  • rh-git218-git-p4-0:2.18.2-3.el7
  • rh-git218-git-subtree-0:2.18.2-3.el7
  • rh-git218-git-svn-0:2.18.2-3.el7
  • rh-git218-gitk-0:2.18.2-3.el7
  • rh-git218-gitweb-0:2.18.2-3.el7
  • rh-git218-perl-Git-0:2.18.2-3.el7
  • rh-git218-perl-Git-SVN-0:2.18.2-3.el7
  • emacs-git-0:1.8.3.1-22.el7_8
  • emacs-git-el-0:1.8.3.1-22.el7_8
  • git-0:1.8.3.1-22.el7_8
  • git-all-0:1.8.3.1-22.el7_8
  • git-bzr-0:1.8.3.1-22.el7_8
  • git-cvs-0:1.8.3.1-22.el7_8
  • git-daemon-0:1.8.3.1-22.el7_8
  • git-debuginfo-0:1.8.3.1-22.el7_8
  • git-email-0:1.8.3.1-22.el7_8
  • git-gnome-keyring-0:1.8.3.1-22.el7_8
  • git-gui-0:1.8.3.1-22.el7_8
  • git-hg-0:1.8.3.1-22.el7_8
  • git-instaweb-0:1.8.3.1-22.el7_8
  • git-p4-0:1.8.3.1-22.el7_8
  • git-svn-0:1.8.3.1-22.el7_8
  • gitk-0:1.8.3.1-22.el7_8
  • gitweb-0:1.8.3.1-22.el7_8
  • perl-Git-0:1.8.3.1-22.el7_8
  • perl-Git-SVN-0:1.8.3.1-22.el7_8
  • git-0:2.18.2-2.el8_1
  • git-all-0:2.18.2-2.el8_1
  • git-core-0:2.18.2-2.el8_1
  • git-core-debuginfo-0:2.18.2-2.el8_1
  • git-core-doc-0:2.18.2-2.el8_1
  • git-daemon-0:2.18.2-2.el8_1
  • git-daemon-debuginfo-0:2.18.2-2.el8_1
  • git-debuginfo-0:2.18.2-2.el8_1
  • git-debugsource-0:2.18.2-2.el8_1
  • git-email-0:2.18.2-2.el8_1
  • git-gui-0:2.18.2-2.el8_1
  • git-instaweb-0:2.18.2-2.el8_1
  • git-subtree-0:2.18.2-2.el8_1
  • git-svn-0:2.18.2-2.el8_1
  • git-svn-debuginfo-0:2.18.2-2.el8_1
  • gitk-0:2.18.2-2.el8_1
  • gitweb-0:2.18.2-2.el8_1
  • perl-Git-0:2.18.2-2.el8_1
  • perl-Git-SVN-0:2.18.2-2.el8_1
  • git-0:2.18.2-2.el8_0
  • git-all-0:2.18.2-2.el8_0
  • git-core-0:2.18.2-2.el8_0
  • git-core-debuginfo-0:2.18.2-2.el8_0
  • git-core-doc-0:2.18.2-2.el8_0
  • git-daemon-0:2.18.2-2.el8_0
  • git-daemon-debuginfo-0:2.18.2-2.el8_0
  • git-debuginfo-0:2.18.2-2.el8_0
  • git-debugsource-0:2.18.2-2.el8_0
  • git-email-0:2.18.2-2.el8_0
  • git-gui-0:2.18.2-2.el8_0
  • git-instaweb-0:2.18.2-2.el8_0
  • git-subtree-0:2.18.2-2.el8_0
  • git-svn-0:2.18.2-2.el8_0
  • git-svn-debuginfo-0:2.18.2-2.el8_0
  • gitk-0:2.18.2-2.el8_0
  • gitweb-0:2.18.2-2.el8_0
  • perl-Git-0:2.18.2-2.el8_0
  • perl-Git-SVN-0:2.18.2-2.el8_0
  • emacs-git-0:1.8.3.1-23.el7_7
  • emacs-git-el-0:1.8.3.1-23.el7_7
  • git-0:1.8.3.1-23.el7_7
  • git-all-0:1.8.3.1-23.el7_7
  • git-bzr-0:1.8.3.1-23.el7_7
  • git-cvs-0:1.8.3.1-23.el7_7
  • git-daemon-0:1.8.3.1-23.el7_7
  • git-debuginfo-0:1.8.3.1-23.el7_7
  • git-email-0:1.8.3.1-23.el7_7
  • git-gnome-keyring-0:1.8.3.1-23.el7_7
  • git-gui-0:1.8.3.1-23.el7_7
  • git-hg-0:1.8.3.1-23.el7_7
  • git-instaweb-0:1.8.3.1-23.el7_7
  • git-p4-0:1.8.3.1-23.el7_7
  • git-svn-0:1.8.3.1-23.el7_7
  • gitk-0:1.8.3.1-23.el7_7
  • gitweb-0:1.8.3.1-23.el7_7
  • perl-Git-0:1.8.3.1-23.el7_7
  • perl-Git-SVN-0:1.8.3.1-23.el7_7
refmap via4
confirm
debian DSA-4657
fedora
  • FEDORA-2020-4e093619bb
  • FEDORA-2020-b2a2c830cf
  • FEDORA-2020-c6548b488f
  • FEDORA-2020-cdef88bb89
  • FEDORA-2020-f6b3b6fb18
gentoo GLSA-202004-13
misc
mlist
  • [debian-lts-announce] 20200415 [SECURITY] [DLA 2177-1] git security update
  • [oss-security] 20200415 CVE-2020-5260: Git: malicious URLs may cause Git to present stored credentials to the wrong server
  • [oss-security] 20200415 Re: CVE-2020-5260: Git: malicious URLs may cause Git to present stored credentials to the wrong server
  • [oss-security] 20200420 CVE-2020-11008: Git: Malicious URLs can still cause Git to send a stored credential to the wrong server
suse
  • openSUSE-SU-2020:0524
  • openSUSE-SU-2020:0598
ubuntu USN-4329-1
Last major update 19-03-2021 - 18:21
Published 14-04-2020 - 23:15
Last modified 19-03-2021 - 18:21
Back to Top