CVE-2024-53263
Public on
Last Modified:
Insights vulnerability analysis
Description
A flaw was found in the Git LFS git extension. When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the git-credential(1) command without checking for embedded line-ending control characters and then sends any credentials it receives back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker may be able to retrieve a user's Git credentials.
Statement
This vulnerability in Git LFS is important rather than moderate because it directly impacts the security of credential handling, a core aspect of repository access control. By allowing an attacker to inject line-ending control characters, such as LF or CR, into URLs passed to the git-credential command, it bypasses a fundamental trust boundary between Git and the credential helper. This issue could enable attackers to intercept or exfiltrate user credentials, granting unauthorized access to repositories, including private and sensitive data.
Mitigation
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Additional information
- Bugzilla 2338002: git-lfs: Git LFS permits exfiltration of credentials via crafted HTTP URLs
- CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
External references
Common Vulnerability Scoring System (CVSS) Score Details
Important note
CVSS scores for open source components depend on vendor-specific factors (e.g. version or build chain). Therefore, Red Hat's score and impact rating can be different from NVD and other vendors. Red Hat remains the authoritative CVE Naming Authority (CNA) source for its products and services (see Red Hat classifications).
| Red Hat | NVD | |
|---|---|---|
CVSS v3 Base Score | 8.1 | N/A |
Attack Vector | Network | N/A |
Attack Complexity | Low | N/A |
Privileges Required | None | N/A |
User Interaction | Required | N/A |
Scope | Unchanged | N/A |
Confidentiality Impact | High | N/A |
Integrity Impact | High | N/A |
Availability Impact | None | N/A |
CVSS v3 Vector
Red Hat: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Understanding the Weakness (CWE)
Confidentiality
Technical Impact: Read Application Data
Many injection attacks involve the disclosure of important information -- in terms of both data sensitivity and usefulness in further exploitation.
Access Control
Technical Impact: Bypass Protection Mechanism
In some cases, injectable code controls authentication; this may lead to a remote vulnerability.
Other
Technical Impact: Alter Execution Logic
Injection attacks are characterized by the ability to significantly change the flow of a given process, and in some cases, to the execution of arbitrary code.
Integrity,Other
Technical Impact: Other
Data injection attacks lead to loss of data integrity in nearly all cases as the control-plane data injected is always incidental to data recall or writing.
Non-Repudiation
Technical Impact: Hide Activities
Often the actions performed by injected control code are unlogged.
Frequently Asked Questions
Why is Red Hat's CVSS v3 score or Impact different from other vendors?
My product is listed as "Under investigation" or "Affected", when will Red Hat release a fix for this vulnerability?
What can I do if my product is listed as "Will not fix"?
What can I do if my product is listed as "Fix deferred"?
What is a mitigation?
I have a Red Hat product but it is not in the above list, is it affected?
Why is my security scanner reporting my product as vulnerable to this vulnerability even though my product version is fixed or not affected?
Not sure what something means? Check out our Security Glossary.
Want to get errata notifications? Sign up here.
