CVE-2024-53263

NameCVE-2024-53263
DescriptionGit LFS is a Git extension for versioning large files. When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the `git-credential(1)` command without checking for embedded line-ending control characters, and then sends any credentials it receives back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker may be able to retrieve a user's Git credentials. This problem exists in all previous versions and is patched in v3.6.1. All users should upgrade to v3.6.1. There are no workarounds known at this time.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4028-1, DSA-5849-1
Debian Bugs1093048

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
git-lfs (PTS)bullseye2.13.2-1vulnerable
bullseye (security)2.13.2-1+deb11u1fixed
bookworm3.3.0-1vulnerable
bookworm (security)3.3.0-1+deb12u1fixed
sid, trixie3.6.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
git-lfssourcebullseye2.13.2-1+deb11u1DLA-4028-1
git-lfssourcebookworm3.3.0-1+deb12u1DSA-5849-1
git-lfssource(unstable)3.5.0-21093048

Notes

https://github.com/git-lfs/git-lfs/security/advisories/GHSA-q6r2-x2cc-vrp7
Fixed by: https://github.com/git-lfs/git-lfs/commit/0345b6f816e611d050c0df67b61f0022916a1c90 (v3.6.1)
Search for package or bug name: Reporting problems