CVE-2024-53263

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-53263

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-53263.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-53263

Aliases

Related

Published

2025-01-14T20:15:28Z

Modified

2025-01-25T11:45:42.004832Z

Summary

[none]

Details

Git LFS is a Git extension for versioning large files. When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the git-credential(1) command without checking for embedded line-ending control characters, and then sends any credentials it receives back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker may be able to retrieve a user's Git credentials. This problem exists in all previous versions and is patched in v3.6.1. All users should upgrade to v3.6.1. There are no workarounds known at this time.

References

Affected packages

Debian:11 / git-lfs

Package

Name: git-lfs
Purl: pkg:deb/debian/git-lfs?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.13.2-1+deb11u1

Affected versions

2.*

2.13.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / git-lfs

Package

Name: git-lfs
Purl: pkg:deb/debian/git-lfs?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.3.0-1+deb12u1

Affected versions

3.*

3.3.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / git-lfs

Package

Name: git-lfs
Purl: pkg:deb/debian/git-lfs?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.5.0-2

Affected versions

3.*

3.3.0-1

3.4.0-1

3.4.1-1

3.5.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/git-lfs/git-lfs

Affected ranges

Type: GIT
Repo: https://github.com/git-lfs/git-lfs
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

0345b6f816e611d050c0df67b61f0022916a1c90

Affected versions

v0.*

v0.1.0

v0.2.0

v0.2.1

v0.2.1-p1

v0.2.2

v0.2.3

v0.3.0

v0.3.1

v0.3.2

v0.3.3

v0.3.4

v0.3.5

v0.3.6

v0.4.0

v0.4.1

v0.5.0

v0.5.0.pre1

v0.5.1

v0.5.1-tracing

v0.5.2

v0.5.3

v0.6.0

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.1.0

v1.1.1

v1.1.1-pre-push-tracing

v1.1.2

v1.2.0

v1.3.0

v1.3.1

v1.4.0

v1.4.1

v1.4.2

v1.4.3

v1.4.4

v1.5.0

v2.*

v2.0.0

v2.0.2-rc1

v2.1.0

v2.10.0

v2.11.0

v2.12.0

v2.13.0

v2.2.0

v2.3.0

v2.3.1

v2.3.2

v2.3.3

v2.3.4

v2.4.0

v2.5.0

v2.6.0

v2.7.0

v2.8.0

v2.9.0

v3.*

v3.0.0

v3.1.0

v3.2.0

v3.3.0

v3.4.0

v3.5.0

v3.6.0