{ "threat_severity" : "Important", "public_date" : "2025-01-14T19:33:21Z", "bugzilla" : { "description" : "git-lfs: Git LFS permits exfiltration of credentials via crafted HTTP URLs", "id" : "2338002", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2338002" }, "cvss3" : { "cvss3_base_score" : "8.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "status" : "verified" }, "cwe" : "CWE-74", "details" : [ "Git LFS is a Git extension for versioning large files. When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the `git-credential(1)` command without checking for embedded line-ending control characters, and then sends any credentials it receives back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker may be able to retrieve a user's Git credentials. This problem exists in all previous versions and is patched in v3.6.1. All users should upgrade to v3.6.1. There are no workarounds known at this time.", "A flaw was found in the Git LFS git extension. When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the `git-credential(1)` command without checking for embedded line-ending control characters and then sends any credentials it receives back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker may be able to retrieve a user's Git credentials." ], "statement" : "This vulnerability in Git LFS is important rather than moderate because it directly impacts the security of credential handling, a core aspect of repository access control. By allowing an attacker to inject line-ending control characters, such as LF or CR, into URLs passed to the `git-credential` command, it bypasses a fundamental trust boundary between Git and the credential helper. This issue could enable attackers to intercept or exfiltrate user credentials, granting unauthorized access to repositories, including private and sensitive data.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-01-30T00:00:00Z", "advisory" : "RHSA-2025:0845", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "git-lfs-0:3.4.1-4.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date" : "2025-01-30T00:00:00Z", "advisory" : "RHSA-2025:0825", "cpe" : "cpe:/a:redhat:rhel_aus:8.4", "package" : "git-lfs-0:2.13.3-3.el8_4.1" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date" : "2025-01-30T00:00:00Z", "advisory" : "RHSA-2025:0825", "cpe" : "cpe:/a:redhat:rhel_tus:8.4", "package" : "git-lfs-0:2.13.3-3.el8_4.1" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date" : "2025-01-30T00:00:00Z", "advisory" : "RHSA-2025:0825", "cpe" : "cpe:/a:redhat:rhel_e4s:8.4", "package" : "git-lfs-0:2.13.3-3.el8_4.1" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2025-01-28T00:00:00Z", "advisory" : "RHSA-2025:0765", "cpe" : "cpe:/a:redhat:rhel_aus:8.6", "package" : "git-lfs-0:2.13.3-3.el8_6.3" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2025-01-28T00:00:00Z", "advisory" : "RHSA-2025:0765", "cpe" : "cpe:/a:redhat:rhel_tus:8.6", "package" : "git-lfs-0:2.13.3-3.el8_6.3" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2025-01-28T00:00:00Z", "advisory" : "RHSA-2025:0765", "cpe" : "cpe:/a:redhat:rhel_e4s:8.6", "package" : "git-lfs-0:2.13.3-3.el8_6.3" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date" : "2025-01-28T00:00:00Z", "advisory" : "RHSA-2025:0762", "cpe" : "cpe:/a:redhat:rhel_eus:8.8", "package" : "git-lfs-0:3.2.0-2.el8_8.3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-01-23T00:00:00Z", "advisory" : "RHSA-2025:0673", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "git-lfs-0:3.4.1-4.el9_5" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2025-01-28T00:00:00Z", "advisory" : "RHSA-2025:0758", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0", "package" : "git-lfs-0:2.13.3-5.el9_0.3" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date" : "2025-01-28T00:00:00Z", "advisory" : "RHSA-2025:0757", "cpe" : "cpe:/a:redhat:rhel_eus:9.2", "package" : "git-lfs-0:3.2.0-2.el9_2.2" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2025-01-28T00:00:00Z", "advisory" : "RHSA-2025:0759", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "git-lfs-0:3.4.1-4.el9_4.1" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "git-lfs", "cpe" : "cpe:/o:redhat:enterprise_linux:10" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-53263\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-53263\nhttps://github.com/git-lfs/git-lfs/commit/0345b6f816e611d050c0df67b61f0022916a1c90\nhttps://github.com/git-lfs/git-lfs/releases/tag/v3.6.1\nhttps://github.com/git-lfs/git-lfs/security/advisories/GHSA-q6r2-x2cc-vrp7" ], "name" : "CVE-2024-53263", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }