SB2026041793 - Insufficiently protected credentials in go-git

Description

This security bulletin contains information about 1 security vulnerability.

1) Insufficiently protected credentials (CVE-ID: N/A)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to insufficiently protected credentials in smart HTTP transport when following a cross-host redirect during smart-HTTP clone and fetch operations. A remote attacker can cause the client to follow a redirect to a different host and capture reused HTTP authentication credentials to disclose sensitive information.

User interaction is required to initiate the clone or fetch operation, and the issue occurs when the initial /info/refs request is redirected to a different host.

Remediation

Install update from vendor's website.

References

• https://github.com/go-git/go-git/security/advisories/GHSA-3xc5-wrhm-f963
• https://github.com/advisories/GHSA-3xc5-wrhm-f963