CVE-2024-52006

CVE-2024-52006 affects Git, a distributed revision control system, specifically its line-based protocol used to exchange information between Git and credential helpers. Certain ecosystems, most notably .NET and node.js, interpret single Carriage Return (CR) characters as newlines, rendering the existing protections against CVE-2020-5260 incomplete for credential helpers that process CRs in this way. The vulnerability is associated with CWE-116 (Improper Encoding or Escaping of Output), CWE-147 (Less Robust Fix), and CWE-150 (Improper Neutralization of CRLF Sequences), and impacts Git versions prior to the patched releases.

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), allowing remote, unauthenticated attackers with low complexity and no user interaction to achieve high-impact confidentiality violations. Exploitation occurs when users clone repositories from untrusted sources, where attackers can manipulate protocol responses using CR characters to bypass safeguards, potentially leading to unauthorized access to stored credentials via affected credential helpers.

Git has addressed the issue in commit b01b9b81d36759cdcd07305e78765199e1bc2060, which is included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Security practitioners should advise users to upgrade immediately. For those unable to upgrade, mitigation involves avoiding clones from untrusted URLs, particularly recursive clones. Detailed advisories are available from Git's GitHub security pages (GHSA-qm7j-c969-7j4q, GHSA-r5ph-xg7q-xfrp, and Git Credential Manager's GHSA-86c2-4x57-wc8g) and Debian LTS announcements.