CVE-2024-53263

CVE-2024-53263

Name

CVE-2024-53263

Description

Git LFS is a Git extension for versioning large files. When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the `git-credential(1)` command without checking for embedded line-ending control characters, and then sends any credentials it receives back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker may be able to retrieve a user's Git credentials. This problem exists in all previous versions and is patched in v3.6.1. All users should upgrade to v3.6.1. There are no workarounds known at this time.

NVD Severity

high

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://github.com/git-lfs/git-lfs/commit/0345b6f816e611d050c0df67b61f0022916a1c90
MISC	https://github.com/git-lfs/git-lfs/releases/tag/v3.6.1
CONFIRM	https://github.com/git-lfs/git-lfs/security/advisories/GHSA-q6r2-x2cc-vrp7
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2025/01/msg00022.html

Type

URI

MISC

https://github.com/git-lfs/git-lfs/commit/0345b6f816e611d050c0df67b61f0022916a1c90

MISC

https://github.com/git-lfs/git-lfs/releases/tag/v3.6.1

CONFIRM

https://github.com/git-lfs/git-lfs/security/advisories/GHSA-q6r2-x2cc-vrp7

af854a3a-2127-422b-91ae-364da2661108

https://lists.debian.org/debian-lts-announce/2025/01/msg00022.html

CPE URI	Source package	Min version	Max version
	git-lfs	>= 0.1.0	< 3.6.1

CPE URI

Source package

Min version

Max version

git-lfs

>= 0.1.0

< 3.6.1

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
git-lfs	edge-community	3.6.0-r6	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
git-lfs	edge-community	3.6.0-r5	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
git-lfs	edge-community	3.6.0-r4	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
git-lfs	edge-community	3.6.0-r3	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
git-lfs	edge-community	3.6.0-r2	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
git-lfs	edge-community	3.6.0-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
git-lfs	edge-community	3.6.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
git-lfs	edge-community	3.1.2-r4	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
git-lfs	edge-community	3.1.2-r3	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
git-lfs	3.22-community	3.6.0-r9	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
git-lfs	3.22-community	3.6.0-r8	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
git-lfs	3.22-community	3.6.0-r7	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
git-lfs	3.22-community	3.6.0-r6	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
git-lfs	3.22-community	3.6.0-r5	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
git-lfs	3.22-community	3.1.2-r4	None	possibly vulnerable
git-lfs	3.22-community	3.1.2-r3	None	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages