VuXML: malicious URLs may present credentials to wrong server

malicious URLs may present credentials to wrong server

Affected packages
2.26.0	<=	git	<	2.26.1
2.25.0	<=	git	<	2.25.3
2.24.0	<=	git	<	2.24.2
2.23.0	<=	git	<	2.23.2
2.22.0	<=	git	<	2.22.3
2.21.0	<=	git	<	2.21.2
2.20.0	<=	git	<	2.20.3
2.19.0	<=	git	<	2.19.4
2.18.0	<=	git	<	2.18.3
0	<=	git	<	2.17.4
2.26.0	<=	git-lite	<	2.26.1
2.25.0	<=	git-lite	<	2.25.3
2.24.0	<=	git-lite	<	2.24.2
2.23.0	<=	git-lite	<	2.23.2
2.22.0	<=	git-lite	<	2.22.3
2.21.0	<=	git-lite	<	2.21.2
2.20.0	<=	git-lite	<	2.20.3
2.19.0	<=	git-lite	<	2.19.4
2.18.0	<=	git-lite	<	2.18.3
0	<=	git-lite	<	2.17.4
2.26.0	<=	git-gui	<	2.26.1
2.25.0	<=	git-gui	<	2.25.3
2.24.0	<=	git-gui	<	2.24.2
2.23.0	<=	git-gui	<	2.23.2
2.22.0	<=	git-gui	<	2.22.3
2.21.0	<=	git-gui	<	2.21.2
2.20.0	<=	git-gui	<	2.20.3
2.19.0	<=	git-gui	<	2.19.4
2.18.0	<=	git-gui	<	2.18.3
0	<=	git-gui	<	2.17.4

Details

VuXML ID	ced2d47e-8469-11ea-a283-b42e99a1b9c3
Discovery	2020-04-14
Entry	2020-04-22

VuXML ID

ced2d47e-8469-11ea-a283-b42e99a1b9c3

Discovery

2020-04-14

Entry

2020-04-22

git security advisory reports:

Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server for an HTTP request being made to another server, resulting in credentials for the former being sent to the latter.

[source]

CVE Name	CVE-2020-5260
URL	https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q

malicious URLs may present credentials to wrong server

Details

References