{"id":"MGASA-2020-0181","summary":"Updated git packages fix security vulnerability","details":"Updated git packages fix security vulnerability:\n\nMalicious URLs can still cause Git to send a stored credential to\nthe wrong server (CvE-2020-111008).\n\nWith a crafted URL that contains a newline or empty host, or lacks a\nscheme, the credential helper machinery can be fooled into providing\ncredential information that is not appropriate for the protocol in\nuse and host being contacted.\n\nUnlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the\ncredentials are not for a host of the attacker's choosing; instead,\nthey are for some unspecified host (based on how the configured\ncredential helper handles an absent \"host\" parameter).\n\nThe attack has been made impossible by refusing to work with\nunder-specified credential patterns.\n","modified":"2026-04-16T04:41:05.075576037Z","published":"2020-04-24T17:03:35Z","upstream":["CVE-2020-11008"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2020-0181.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=26516"},{"type":"WEB","url":"https://www.openwall.com/lists/oss-security/2020/04/20/1"},{"type":"ADVISORY","url":"https://github.com/git/git/security/advisories/GHSA-hjc9-x69f-jqj7"}],"affected":[{"package":{"name":"git","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/git?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.21.3-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2020-0181.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}