Severity Rating: HIGH

Software Affected 

•Git 2.17.x versions 2.17.4 and prior

•Git 2.18.x versions 2.18.3 and prior

•Git 2.19.x versions 2.19.4 and prior

•Git 2.20.x versions 2.20.3 and prior

•Git 2.21.x versions 2.21.2 and prior

•Git 2.22.x versions 2.22.3 and prior

•Git 2.23.x versions 2.23.2 and prior

•Git 2.24.x versions 2.24.2 and prior

•Git 2.25.x versions 2.25.3 and prior

•Git 2.26.x versions 2.26.1 and prior

Overview 

A vulnerability has been reported in Git which could allow a remote

attacker to access stored credentials on a targeted system. 

Description

This vulnerability exists in Git due to improper handling of URLs used for

"credential helper" programs. A remote attacker could exploit this

vulnerability by feeding a specially crafted URL to Git running on an

affected system - either directly or through systems which automatically

clone URLs not visible to the user, such as Git sub modules, or package

systems built around Git. 

Successful exploitation of this vulnerability could allow the attacker to

access stored credentials on the targeted system. 

Solution

Upgrade to the patched versions as mentioned at: 

https://github.com/git/git/security/advisories/GHSA-hjc9-x69f-jqj7

Vendor Information

Git

https://github.com/git/git/security/advisories/GHSA-hjc9-x69f-jqj7

References

https://access.redhat.com/security/cve/cve-2020-11008

https://www.suse.com/security/cve/CVE-2020-11008/

CVE Name

CVE-2020-11008