Git LFS Credential Retrieval Vulnerability via Crafted HTTP URLs

A vulnerability in Git Large File Storage (LFS) versions 0.1.0 prior to 3.6.0 allows for the retrieval of Git credentials through manipulated HTTP URLs. When Git LFS requests credentials from Git for a remote host, it inadvertently includes parts of the host's URL in the `git-credential` command without removing embedded line-ending control characters. This oversight enables attackers to insert URL-encoded control characters, such as line feed (LF) or carriage return (CR), into the URL, potentially leading to the extraction of a user's Git credentials. The issue arises because the Git credential helper cannot distinguish between legitimate line feed characters and those added by the URL encoding, causing a credential request to fail if a line feed is detected. This vulnerability is similar to a previously addressed issue in Git, indicating a common flaw in handling URL-encoded data.

Impact

Exploitation of this vulnerability could result in unauthorized retrieval of Git credentials, which may be used to access repositories or perform actions on behalf of the user.

Reproduction

To reproduce this vulnerability, create a Git LFS repository and configure it to use a credential helper. Then, insert a URL containing URL-encoded line feed characters into the Git LFS configuration. When Git LFS pushes objects to the repository, it will request credentials from the Git credential helper. The credential helper will receive the URL-encoded line feed characters, which could be exploited to inject additional credential values. As a result, the Git LFS push command will fail, but the injected credentials could be retrieved and used maliciously.

Remediation

Users should upgrade to Git LFS version 3.6.1 or later, where this vulnerability has been patched. Instructions for upgrading Git LFS can be found in the Git LFS release notes.