Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2024-52006
CVE-2024-52006:
Git vulnerability analysis and mitigation
Overview
Git has disclosed a security vulnerability (CVE-2024-52006) that affects its credential helper protocol implementation. The vulnerability stems from how certain ecosystems (particularly .NET and node.js) interpret single Carriage Return characters as newlines, which makes the previous protections against CVE-2020-5260 incomplete for credential helpers that handle Carriage Returns in this way. This issue affects Git versions up to v2.48.0, v2.47.1, v2.46.2, v2.45.2, v2.44.2, v2.43.5, v2.42.3, v2.41.2, and v2.40.3, and has been patched in versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4 (Git Advisory).
Technical details
The vulnerability exists in Git's line-based protocol used for exchanging information between Git and Git credential helpers. The core issue lies in the different interpretations of newline characters across systems. While Git's protocol is designed to be line-based with specific restrictions on newline characters, some credential helper implementations in .NET and node.js treat single Carriage Return characters as line terminators. This discrepancy in newline handling between Git and credential helpers creates a security weakness. The vulnerability has been assigned a CVSS v4.0 score of 2.1 (Low) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N (Git Advisory).
Impact
When exploited, this vulnerability could allow an attacker to capture credentials for another Git remote through malicious repository interactions. The risk is particularly elevated when cloning repositories with submodules using the --recursive option, as users cannot inspect submodule remote URLs beforehand (GCM Advisory).
Mitigation and workarounds
The issue has been addressed in Git commit b01b9b8 and released in versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. For users unable to upgrade immediately, the recommended workaround is to avoid cloning from untrusted URLs, especially recursive clones. Additionally, users can set credential.protectProtocol=false if they need to allow Carriage Returns in the protocol (Git Advisory).
Community reactions
The security community has noted this vulnerability as a follow-up to the previous CVE-2020-5260, highlighting the ongoing challenges in securing credential handling across different platforms and ecosystems (Hacker News).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management