Описание
GitHub: CVE-2024-50338 Malformed URL allows information disclosure through git-credential-manager
FAQ
Why is this GitHub CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Git for Windows software which is consumed by Microsoft Visual Studio. It is being documented in the Security Update Guide to announce that the latest builds of Visual Studio are no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.
What type of information could be disclosed by this vulnerability?
The type of information that could be disclosed if an attacker successfully exploited this vulnerability is secrets or privileged information belonging to the user of the affected application.
Обновления
| Продукт | Статья | Обновление |
|---|---|---|
| Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8) | ||
| Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10) | ||
| Microsoft Visual Studio 2022 version 17.6 | ||
| Microsoft Visual Studio 2022 version 17.8 | ||
| Microsoft Visual Studio 2022 version 17.10 | ||
| Microsoft Visual Studio 2022 version 17.12 |
Показывать по
Возможность эксплуатации
Publicly Disclosed
Exploited
Latest Software Release
EPSS
7.4 High
CVSS3
Связанные уязвимости
Git Credential Manager (GCM) is a secure Git credential helper built on .NET that runs on Windows, macOS, and Linux. The Git credential protocol is text-based over standard input/output, and consists of a series of lines of key-value pairs in the format `key=value`. Git's documentation restricts the use of the NUL (`\0`) character and newlines to form part of the keys or values. When Git reads from standard input, it considers both LF and CRLF as newline characters for the credential protocol by virtue of calling `strbuf_getline` that calls to `strbuf_getdelim_strip_crlf`. Git also validates that a newline is not present in the value by checking for the presence of the line-feed character (LF, `\n`), and errors if this is the case. This captures both LF and CRLF-type newlines. Git Credential Manager uses the .NET standard library `StreamReader` class to read the standard input stream line-by-line and parse the `key=value` credential protocol format. The implementation of the `ReadLineA
Git Credential Manager carriage-return character in remote URL allows malicious repository to leak credentials
Уязвимость функции strbuf_getdelim_strip_crlf кроссплатформенного фреймворка для хранения учётных данных Git Credential Manager (GCM) распределенной системы управления версиями Git, позволяющая нарушителю раскрыть защищаемую информацию
EPSS
7.4 High
CVSS3