Insufficiently Protected Credentials in git (Alpine package)
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2020-11008 |
| CWE-ID | CWE-522 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
git (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Insufficiently Protected Credentials
EUVDB-ID: #VU27257
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-11008
CWE-ID:
CWE-522 - Insufficiently Protected Credentials
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information on the system
The vulnerability exists due to the Git can be tricked into sending private credentials to a host controlled by an attacker. A remote attacker can send a specially crafted URL to "git clone" that will present stored credentials for any host to a host of their choosing.
Note: This vulnerability is similar to the CVE-2020-5260 (SB2020041523). The fix for that bug still left the door open for an exploit where some credential is leaked (but the attacker cannot control which one).
MitigationInstall update from vendor's website.
Vulnerable software versionsgit (Alpine package): 2.17.0-r0 - 2.20.3-r0
git (Alpine package):
CPE2.3- cpe:2.3:a:alpine:git_alpine_package:2.17.0-r0:*:*:*:*:alpine_linux:*:3.7
- cpe:2.3:a:alpine:git_alpine_package:2.17.1-r0:*:*:*:*:alpine_linux:*:3.7
- cpe:2.3:a:alpine:git_alpine_package:2.18.0-r0:*:*:*:*:alpine_linux:*:3.7
- cpe:2.3:a:alpine:git_alpine_package::*:*:*:*:alpine_linux:*:*
https://git.alpinelinux.org/aports/commit/?id=f32b8f8df8e99e7b325c18d9faefd359d2f1a39a
https://git.alpinelinux.org/aports/commit/?id=d8f98f1d364cc22538f4999b495d0cc90de59440
https://git.alpinelinux.org/aports/commit/?id=c0456ebf2823e5d0bbe77d9a844cafacf6a2d17d
https://git.alpinelinux.org/aports/commit/?id=88e1a78be765dc06805c03a6099406b8ca4ae21b
https://git.alpinelinux.org/aports/commit/?id=e964b427700d05033702d989be968bdd17d391ad
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
