8.5

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-53263

CVE-2024-53263: Git LFS permits exfiltration of credentials via crafted HTTP URLs

Impact

When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the git-credential(1) command without checking for embedded line-ending control characters, and then sends any credentials it receives back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker may be able to retrieve a user's Git credentials.

Patches

This problem exists in all previous versions and is patched in v3.6.1. All users should upgrade to v3.6.1.

Workarounds

There are no workarounds known at this time.

References

https://github.com/git-lfs/git-lfs/security/advisories/GHSA-q6r2-x2cc-vrp7
https://nvd.nist.gov/vuln/detail/CVE-2024-53263
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53263
https://github.com/git-lfs/git-lfs/releases/tag/v3.6.1
git-lfs/git-lfs@0345b6f816

For more information

If you have any questions or comments about this advisory:

For general questions, start a discussion in the Git LFS discussion forum.
For reports of additional vulnerabilities, please follow the Git LFS security reporting policy.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-53263

CVE-2024-53263:

8.5

CVSS Score

4.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/git-lfs/git-lfs/v3	go	>= 3.0.0, <= 3.6.0	3.6.1
github.com/git-lfs/git-lfs	go	>= 0.1.0, <= 3.0.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the improper handling of newline characters in URLs when Git LFS interacts with Git credential helpers. The commit 0345b6f816e611d050c0df67b61f0022916a1c90 patches this vulnerability.

The Creds.buffer method in creds/creds.go is directly responsible for constructing the data payload sent to the git-credential helper. The patch introduces a check (strings.Contains(item, "\n")) within this method to detect and reject credential values containing newline characters. Its previous lack of such a check made it vulnerable, as it would include raw newlines from crafted URLs in the output buffer.
The commandCredentialHelper.exec method in creds/creds.go is the caller of Creds.buffer and uses its output to set the standard input for the git-credential command. The patch modifies this method to handle the new error returned by Creds.buffer if a newline is detected. This implies that before the patch, it would use the potentially malicious buffer from Creds.buffer without this validation, thereby passing the unsanitized data to the external credential helper. Both functions are critical in the vulnerable execution path: Creds.buffer for creating the malformed input, and commandCredentialHelper.exec for using that input in a sensitive operation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-53263: Git LFS permits exfiltration of credentials via crafted HTTP URLs

Impact

Patches

Workarounds

References

For more information

CVE-2024-53263:

8.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2024-53263: Git LFS permits exfiltration of credentials via crafted HTTP URLs

Impact

Patches

Workarounds

References

For more information

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

8.5

8.5

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI