CVE-2024-50338
Published: 14 January 2025
Description
Git Credential Manager (GCM) is a secure Git credential helper built on .NET that runs on Windows, macOS, and Linux. The Git credential protocol is text-based over standard input/output, and consists of a series of lines of key-value pairs in the format `key=value`. Git's documentation restricts the use of the NUL (`\0`) character and newlines to form part of the keys or values. When Git reads from standard input, it considers both LF and CRLF as newline characters for the credential protocol by virtue of calling `strbuf_getline` that calls to `strbuf_getdelim_strip_crlf`. Git also validates that a newline is not present in the value by checking for the presence of the line-feed character (LF, `\n`), and errors if this is the case. This captures both LF and CRLF-type newlines. Git Credential Manager uses the .NET standard library `StreamReader` class to read the standard input stream line-by-line and parse the `key=value` credential protocol format. The implementation of the `ReadLineAsync` method considers LF, CRLF, and CR as valid line endings. This is means that .NET considers a single CR as a valid newline character, whereas Git does not. This mismatch of newline treatment between Git and GCM means that an attacker can craft a malicious remote URL. When a user clones or otherwise interacts with a malicious repository that requires authentication, the attacker can capture credentials for another Git remote. The attack is also heightened when cloning from repositories with submodules when using the `--recursive` clone option as the user is not able to inspect the submodule remote URLs beforehand. This issue has been patched in version 2.6.1 and all users are advised to upgrade. Users unable to upgrade should only interact with trusted remote repositories, and not clone with `--recursive` to allow inspection of any submodule URLs before cloning those submodules.
Security Summary
CVE-2024-50338 is a vulnerability in Git Credential Manager (GCM), a .NET-based secure Git credential helper that operates on Windows, macOS, and Linux. The issue stems from a mismatch in newline character handling between Git's credential protocol and GCM's implementation. Git's protocol uses text-based key-value pairs over stdin/stdout, restricting NUL characters and newlines in keys/values, and treats both LF and CRLF as newlines via strbuf_getline, while validating against LF in values. However, GCM employs the .NET StreamReader class, whose ReadLineAsync method also recognizes a single CR as a valid line ending, which Git does not. This discrepancy enables attackers to craft malicious remote URLs that manipulate credential parsing.
An attacker can exploit this by controlling a Git repository that requires authentication, tricking a user into cloning or interacting with it—particularly when using the --recursive option for submodules, where users cannot easily inspect submodule remote URLs beforehand. The exploit requires network access and user interaction (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N), with no privileges needed. Successful exploitation allows the attacker to capture credentials intended for a different, legitimate Git remote, leading to exposure of sensitive authentication data (CWE-200).
The vulnerability has been addressed in GCM version 2.6.1, and all users are advised to upgrade immediately. For those unable to update, mitigation involves interacting only with trusted remote repositories and avoiding the --recursive clone option to manually inspect and clone submodules. Relevant details are available in the GCM release notes and related code changes.
Details
- CWE(s)