CVE-2024-52006 (GCVE-0-2024-52006)
Vulnerability from cvelistv5
Published
2025-01-14 18:39
Modified
2025-11-03 20:45
Severity ?
2.1 (Low) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
CWE
  • CWE-116 - Improper Encoding or Escaping of Output
  • CWE-147 - Improper Neutralization of Input Terminators
  • CWE-150 - Improper Neutralization of Escape, Meta, or Control Sequences
Summary
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. Git defines a line-based protocol that is used to exchange information between Git and Git credential helpers. Some ecosystems (most notably, .NET and node.js) interpret single Carriage Return characters as newlines, which renders the protections against CVE-2020-5260 incomplete for credential helpers that treat Carriage Returns in this way. This issue has been addressed in commit `b01b9b8` which is included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones.
References
Impacted products
Vendor Product Version
git git Version: <= 2.40.3
Version: >= 2.41.0, <= 2.41.2
Version: >= 2.42.0, <= 2.42.3
Version: >= 2.43.0, <= 2.43.5
Version: >= 2.44.0, <= 2.44.2
Version: >= 2.45.0, <= 2.45.2
Version: >= 2.46.0, <= 2.46.2
Version: >= 2.47.0, < 2.47.2
Version: = 2.48.0
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-52006",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-14T18:52:03.897787Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-14T18:52:11.014Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:45:24.231Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00025.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "git",
          "vendor": "git",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 2.40.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.41.0, \u003c= 2.41.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.42.0, \u003c= 2.42.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.43.0, \u003c= 2.43.5"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.44.0, \u003c= 2.44.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.45.0, \u003c= 2.45.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.46.0, \u003c= 2.46.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.47.0, \u003c 2.47.2"
            },
            {
              "status": "affected",
              "version": "= 2.48.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. Git defines a line-based protocol that is used to exchange information between Git and Git credential helpers. Some ecosystems (most notably, .NET and node.js) interpret single Carriage Return characters as newlines, which renders the protections against CVE-2020-5260 incomplete for credential helpers that treat Carriage Returns in this way. This issue has been addressed in commit `b01b9b8` which is included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 2.1,
            "baseSeverity": "LOW",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-116",
              "description": "CWE-116: Improper Encoding or Escaping of Output",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-147",
              "description": "CWE-147: Improper Neutralization of Input Terminators",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-150",
              "description": "CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-21T17:03:14.854Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/git/git/security/advisories/GHSA-r5ph-xg7q-xfrp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/git/git/security/advisories/GHSA-r5ph-xg7q-xfrp"
        },
        {
          "name": "https://github.com/git-ecosystem/git-credential-manager/security/advisories/GHSA-86c2-4x57-wc8g",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/git-ecosystem/git-credential-manager/security/advisories/GHSA-86c2-4x57-wc8g"
        },
        {
          "name": "https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q"
        },
        {
          "name": "https://github.com/git/git/commit/b01b9b81d36759cdcd07305e78765199e1bc2060",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/git/git/commit/b01b9b81d36759cdcd07305e78765199e1bc2060"
        }
      ],
      "source": {
        "advisory": "GHSA-r5ph-xg7q-xfrp",
        "discovery": "UNKNOWN"
      },
      "title": "Newline confusion in credential helpers can lead to credential exfiltration in git"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-52006",
    "datePublished": "2025-01-14T18:39:52.748Z",
    "dateReserved": "2024-11-04T17:46:16.779Z",
    "dateUpdated": "2025-11-03T20:45:24.231Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-52006\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-14T18:52:03.897787Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-14T18:52:07.075Z\"}}], \"cna\": {\"title\": \"Newline confusion in credential helpers can lead to credential exfiltration in git\", \"source\": {\"advisory\": \"GHSA-r5ph-xg7q-xfrp\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 2.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"ACTIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"git\", \"product\": \"git\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 2.40.3\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.41.0, \u003c= 2.41.2\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.42.0, \u003c= 2.42.3\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.43.0, \u003c= 2.43.5\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.44.0, \u003c= 2.44.2\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.45.0, \u003c= 2.45.2\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.46.0, \u003c= 2.46.2\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.47.0, \u003c 2.47.2\"}, {\"status\": \"affected\", \"version\": \"= 2.48.0\"}]}], \"references\": [{\"url\": \"https://github.com/git/git/security/advisories/GHSA-r5ph-xg7q-xfrp\", \"name\": \"https://github.com/git/git/security/advisories/GHSA-r5ph-xg7q-xfrp\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/git-ecosystem/git-credential-manager/security/advisories/GHSA-86c2-4x57-wc8g\", \"name\": \"https://github.com/git-ecosystem/git-credential-manager/security/advisories/GHSA-86c2-4x57-wc8g\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q\", \"name\": \"https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/git/git/commit/b01b9b81d36759cdcd07305e78765199e1bc2060\", \"name\": \"https://github.com/git/git/commit/b01b9b81d36759cdcd07305e78765199e1bc2060\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. Git defines a line-based protocol that is used to exchange information between Git and Git credential helpers. Some ecosystems (most notably, .NET and node.js) interpret single Carriage Return characters as newlines, which renders the protections against CVE-2020-5260 incomplete for credential helpers that treat Carriage Returns in this way. This issue has been addressed in commit `b01b9b8` which is included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-116\", \"description\": \"CWE-116: Improper Encoding or Escaping of Output\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-147\", \"description\": \"CWE-147: Improper Neutralization of Input Terminators\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-150\", \"description\": \"CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-01-21T17:03:14.854Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-52006\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-01-21T17:03:14.854Z\", \"dateReserved\": \"2024-11-04T17:46:16.779Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-01-14T18:39:52.748Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.