CVE-2020-11008 Overview
Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. This bug is similar to CVE-2020-5260 (GHSA-qm7j-c969-7j4q). The fix for that bug still left the door open for an exploit where some credential is leaked, though the attacker cannot control which one.
Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that are considered illegal as of the recently published Git versions can cause Git to send a "blank" pattern to helpers, missing hostname and protocol fields. Many helpers will interpret this as matching any URL, and will return some unspecified stored password, leaking the password to an attacker's server.
Critical Impact
Attackers can steal stored Git credentials by exploiting improper URL validation in Git's credential helper system, potentially compromising access to private repositories and development infrastructure.
Affected Products
- Git-scm Git (multiple versions)
- Canonical Ubuntu Linux 16.04 LTS, 18.04 LTS, 19.10
- Debian Linux 8.0
- Fedora 31, 32
Discovery Timeline
- April 21, 2020 - CVE-2020-11008 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2020-11008
Vulnerability Analysis
This vulnerability represents an improper input validation flaw (CWE-20) combined with insufficiently protected credentials (CWE-522). The root of the problem is in Git itself, which should not be feeding blank input to credential helpers. When Git processes a maliciously crafted URL lacking a proper scheme, it fails to properly reject the URL and instead passes a blank pattern to credential helpers.
The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git.
Credential helpers known to trigger the vulnerability include Git's "store" helper, Git's "cache" helper, and the "osxkeychain" helper that ships in Git's "contrib" directory. The Git Credential Manager for Windows is known to be safe even with vulnerable versions of Git.
Root Cause
The vulnerability stems from improper input validation in Git's URL parsing logic within the credential handling subsystem. When Git encounters a URL without a proper protocol scheme (e.g., ://), the original code would return 0 (success) rather than properly rejecting the malformed URL. This allowed URLs without schemes to pass validation and subsequently cause blank credential patterns to be sent to helper programs.
Attack Vector
The attack exploits Git's network-based URL handling capabilities. An attacker can craft a malicious URL that bypasses the protocol scheme validation, causing Git to send blank credential patterns to configured credential helpers. Since many helpers interpret blank patterns as matching any stored credential, they may return sensitive authentication data that gets transmitted to the attacker's server.
Attack vectors include:
- Direct git clone commands with malicious URLs
- Git submodules pointing to malicious repositories
- Package management systems that automatically fetch Git repositories
- CI/CD pipelines that clone untrusted repositories
// Security patch in credential.c - treats URL without scheme as invalid
// Source: https://github.com/git/git/commit/c44088ecc4b0722636e0a305f9608d3047197282
* (3) proto://<user>:<pass>@<host>/...
*/
proto_end = strstr(url, "://");
- if (!proto_end)
- return 0;
+ if (!proto_end) {
+ if (!quiet)
+ warning(_("url has no scheme: %s"), url);
+ return -1;
+ }
cp = proto_end + 3;
at = strchr(cp, '@');
colon = strchr(cp, ':');
Detection Methods for CVE-2020-11008
Indicators of Compromise
- Unusual Git credential helper invocations with blank or missing hostname/protocol fields
- Network connections from Git processes to unexpected external hosts
- Log entries showing warnings about URLs with missing schemes
- Credential helper logs indicating pattern matches against blank queries
Detection Strategies
- Monitor Git process execution for suspicious URL patterns lacking protocol schemes
- Implement network monitoring to detect Git credential data being sent to unauthorized external servers
- Review Git submodule configurations in repositories for malformed or suspicious URLs
- Audit CI/CD pipeline logs for anomalous Git clone operations
Monitoring Recommendations
- Enable verbose Git logging to capture URL parsing warnings and credential helper interactions
- Deploy endpoint detection to monitor Git executable behavior and network connections
- Implement file integrity monitoring on credential helper configuration files
- Establish baseline Git network behavior to detect anomalous credential transmissions
How to Mitigate CVE-2020-11008
Immediate Actions Required
- Update Git to the latest patched version immediately across all development systems
- Audit and rotate any credentials that may have been stored in vulnerable credential helpers
- Review Git submodule configurations in all repositories for potentially malicious URLs
- Consider temporarily disabling credential helpers until systems are patched
Patch Information
Git maintainers released a security patch addressing this vulnerability. The fix modifies the URL parsing logic in credential.c to properly reject URLs that lack a protocol scheme, returning -1 (failure) instead of 0 (success) and emitting a warning message. The patch is available in the Git Commit Update.
Additional security advisories and information are available from:
Workarounds
- Use Git Credential Manager for Windows, which is known to be safe against this vulnerability
- Avoid using the "store", "cache", or "osxkeychain" credential helpers until patched
- Manually inspect all URLs before cloning, especially those from untrusted sources
- Disable automatic submodule initialization and update with git config --global submodule.recurse false
# Configuration to mitigate risk until patching
# Disable credential caching temporarily
git config --global --unset credential.helper
# Disable automatic submodule recursion
git config --global submodule.recurse false
# Check current Git version
git --version
# Update Git on Ubuntu/Debian
sudo apt-get update && sudo apt-get install git
# Update Git on Fedora
sudo dnf update git
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
