Vulnerabilities affecting this package (1)
| Vulnerability |
Summary |
Fixed by |
VCID-a7r5-wv78-mbbt
Aliases:
CVE-2024-53263
GHSA-q6r2-x2cc-vrp7
|
Git LFS permits exfiltration of credentials via crafted HTTP URLs
### Impact
When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the `git-credential(1)` command without checking for embedded line-ending control characters, and then sends any credentials it receives back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker may be able to retrieve a user's Git credentials.
### Patches
This problem exists in all previous versions and is patched in v3.6.1. All users should upgrade to v3.6.1.
### Workarounds
There are no workarounds known at this time.
### References
* https://github.com/git-lfs/git-lfs/security/advisories/GHSA-q6r2-x2cc-vrp7
* https://nvd.nist.gov/vuln/detail/CVE-2024-53263
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53263
* https://github.com/git-lfs/git-lfs/releases/tag/v3.6.1
* [git-lfs/git-lfs@0345b6f816](https://github.com/git-lfs/git-lfs/commit/0345b6f816e611d050c0df67b61f0022916a1c90)
### For more information
If you have any questions or comments about this advisory:
* For general questions, start a discussion in the Git LFS [discussion forum](https://github.com/git-lfs/git-lfs/discussions).
* For reports of additional vulnerabilities, please follow the Git LFS [security reporting policy](https://github.com/git-lfs/git-lfs/blob/main/SECURITY.md).
|
There are no reported fixed by versions.
|
Vulnerabilities fixed by this package (0)
| Vulnerability |
Summary |
Aliases |
|
This package is not known to fix vulnerabilities.
|