Git Credential Manager Carriage-Return Character Handling Vulnerability Allows Credential Leakage

A vulnerability in Git Credential Manager (GCM) exists due to improper handling of carriage-return characters in the Git credential protocol. GCM, a secure credential helper built on .NET, reads credentials from standard input as key-value pairs. While Git treats carriage-return characters as invalid, GCM's underlying .NET implementation considers them as newlines. This discrepancy allows attackers to craft malicious URLs that, when accessed, can leak credentials for other Git remotes. The issue is exacerbated when cloning repositories with submodules using the '--recursive' option, as submodule URLs cannot be inspected beforehand.

Impact

Exploitation of this vulnerability allows for the unauthorized capture of Git credentials, potentially leading to misuse of those credentials with other Git remotes.

Reproduction

The vulnerability can be reproduced by using Git Credential Manager versions through 2.6.0. When a malicious URL containing a carriage-return character is used with a Git command that requires authentication, GCM will incorrectly parse the URL, leading to credential leakage.

Remediation

Users should upgrade to Git Credential Manager version 2.6.1 or later. Those unable to upgrade should interact only with trusted repositories and avoid using the '--recursive' option when cloning to allow for inspection of submodule URLs.