Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                              CERT-Renater

                  Note d'Information No. 2025/VULN007

_____________________________________________________________________

DATE                : 16/01/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running git-lfs versions prior to
                                       3.6.1.

=====================================================================
https://github.com/git-lfs/git-lfs/security/advisories/GHSA-q6r2-x2cc-vrp7
_____________________________________________________________________

Git LFS permits retrieval of credentials via crafted HTTP URLs
High
chrisd8088 published GHSA-q6r2-x2cc-vrp7 Jan 14, 2025

Package
git-lfs (Go)

Affected versions
0.1.0-3.6.0

Patched versions
3.6.1


Description

Impact

When Git LFS requests credentials from Git for a remote host, it passes
portions of the host's URL to the git-credential(1) command without
checking for embedded line-ending control characters, and then sends
any credentials it receives back from the Git credential helper to
the remote host. By inserting URL-encoded control characters such as
line feed (LF) or carriage return (CR) characters into the URL, an
attacker may be able to retrieve a user's Git credentials.


Patches

This problem exists in all previous versions and is patched in v3.6.1.
All users should upgrade to v3.6.1.


Workarounds

There are no workarounds known at this time.


References

    GHSA-q6r2-x2cc-vrp7
    https://nvd.nist.gov/vuln/detail/CVE-2024-53263
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53263
    https://github.com/git-lfs/git-lfs/releases/tag/v3.6.1
    git-lfs/git-lfs@0345b6f816

For more information

If you have any questions or comments about this advisory:

    For general questions, start a discussion in the Git LFS
discussion forum.
    For reports of additional vulnerabilities, please follow the Git
LFS security reporting policy.


Severity
High

8.5/ 10

CVSS v4 base metrics

Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required None
User interaction Active
Vulnerable System Impact Metrics
Confidentiality High
Integrity High
Availability None
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

CVE ID
CVE-2024-53263

Weaknesses
No CWEs

Credits

    @Ry0taK Ry0taK Reporter


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================