CVE-2024-50338 in git-credential-managerinfo

Summary

by MITRE • 01/14/2025

Git Credential Manager (GCM) is a secure Git credential helper built on .NET that runs on Windows, macOS, and Linux. The Git credential protocol is text-based over standard input/output, and consists of a series of lines of key-value pairs in the format `key=value`. Git's documentation restricts the use of the NUL (`\0`) character and newlines to form part of the keys or values. When Git reads from standard input, it considers both LF and CRLF as newline characters for the credential protocol by virtue of calling `strbuf_getline` that calls to `strbuf_getdelim_strip_crlf`. Git also validates that a newline is not present in the value by checking for the presence of the line-feed character (LF, `\n`), and errors if this is the case. This captures both LF and CRLF-type newlines. Git Credential Manager uses the .NET standard library `StreamReader` class to read the standard input stream line-by-line and parse the `key=value` credential protocol format. The implementation of the `ReadLineAsync` method considers LF, CRLF, and CR as valid line endings. This is means that .NET considers a single CR as a valid newline character, whereas Git does not. This mismatch of newline treatment between Git and GCM means that an attacker can craft a malicious remote URL. When a user clones or otherwise interacts with a malicious repository that requires authentication, the attacker can capture credentials for another Git remote. The attack is also heightened when cloning from repositories with submodules when using the `--recursive` clone option as the user is not able to inspect the submodule remote URLs beforehand. This issue has been patched in version 2.6.1 and all users are advised to upgrade. Users unable to upgrade should only interact with trusted remote repositories, and not clone with `--recursive` to allow inspection of any submodule URLs before cloning those submodules.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 02/12/2025

The vulnerability described in CVE-2024-50338 affects Git Credential Manager (GCM), a critical component that securely handles Git authentication credentials across multiple operating systems. This credential helper operates as a text-based protocol over standard input/output streams, where credential data is transmitted as key-value pairs in the format key=value. The Git protocol specification explicitly restricts the use of NUL characters and newlines within credential values to prevent parsing ambiguities and potential security issues. Git's internal implementation uses the strbuf_getline function with strbuf_getdelim_strip_crlf to process input streams, treating both LF and CRLF as valid line terminators while specifically rejecting values containing line-feed characters to prevent credential leakage through malformed inputs. The vulnerability stems from a fundamental mismatch between Git's and GCM's newline handling implementations, where Git's stricter validation conflicts with GCM's more permissive .NET StreamReader approach. When GCM processes credential input using the ReadLineAsync method, it accepts LF, CRLF, and CR as valid line endings through .NET's standard library, creating a discrepancy that attackers can exploit to manipulate credential parsing behavior.

The operational impact of this vulnerability extends beyond simple credential theft to encompass broader security implications for Git repository operations, particularly when dealing with recursive cloning scenarios. Attackers can craft malicious remote URLs that exploit the newline handling inconsistency to inject credential data from one repository into another's authentication process. This occurs because GCM's parsing logic does not align with Git's validation mechanisms, allowing attackers to manipulate how credential data is interpreted during the authentication flow. The risk is significantly amplified when users perform recursive cloning operations with submodules, as the attacker can control multiple remote URLs simultaneously without the user being able to inspect submodule configurations beforehand. This attack vector represents a sophisticated credential harvesting technique that leverages the inherent protocol mismatch to bypass normal authentication security controls, potentially compromising access to multiple repositories through a single malicious entry point.

This vulnerability aligns with several cybersecurity frameworks and threat models, particularly mapping to CWE-1279 which addresses improper handling of line terminators in text processing, and CWE-209 which covers information exposure through error handling. The attack pattern follows ATT&CK technique T1552.001 for unsecured credentials and T1552.006 for credential access through network protocols. The mismatch between Git's and GCM's newline processing creates a protocol-level vulnerability that falls under the category of input validation errors and improper data handling. The security implications extend to supply chain attacks where malicious repositories could compromise credentials for legitimate organizations, especially in enterprise environments where recursive cloning is common. Organizations using GCM should consider this vulnerability as part of their broader security posture assessment, particularly in environments where code repositories are frequently cloned from external sources or when submodule usage is prevalent in development workflows.

The mitigation strategy for CVE-2024-50338 requires immediate action through upgrading to version 2.6.1 or later, which resolves the underlying newline handling discrepancy. Users unable to upgrade should implement operational controls such as restricting repository access to trusted sources only, avoiding recursive cloning operations that prevent inspection of submodule URLs, and conducting manual verification of all remote repository configurations before initiating clone operations. Security teams should also consider implementing network monitoring to detect anomalous credential handling patterns and establish policies around credential management that minimize the impact of potential exploitation. Organizations should conduct vulnerability assessments to identify systems running affected versions of GCM and ensure comprehensive patch management processes are in place to address similar protocol-level discrepancies that may exist in other credential handling components. The vulnerability demonstrates the importance of maintaining consistency in protocol implementations across different software components, particularly in security-critical applications where input handling discrepancies can lead to significant credential compromise risks.

Responsible

GitHub M

Reservation

10/22/2024

Disclosure

01/14/2025

Moderation

accepted

CPE

ready

EPSS

0.03148

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!