SB2025011641 - Multiple vulnerabilities in Git for Windows

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025011641

SB2025011641 - Multiple vulnerabilities in Git for Windows

Published: January 16, 2025

Security Bulletin ID SB2025011641
Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 33% Low 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Improper Encoding or Escaping of Output (CVE-ID: CVE-2024-52005)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper input validation when handling ANSI escape sequences in messages  passed via sideband channel. A remote attacker can pass specially crafted messages to the terminal and potentially execute untrusted scripts.


2) Improper Encoding or Escaping of Output (CVE-ID: CVE-2024-50349)

The vulnerability allows a remote attacker to perform spoofing  attack.

The vulnerability exists due to incorrect handling of control sequences in account names when asking for credentials. A remote attacker can trick the victim into clicking on a specially crafted URL and trick users into providing passwords for trusted Git hosting sites when in fact they are then sent to untrusted sites that are under the attacker's control.


3) Improper Encoding or Escaping of Output (CVE-ID: CVE-2024-52006)

The vulnerability allows a remote attacker to exfiltrate data.

The vulnerability exists due to newline confusion in credential helpers when interpreting single Carriage Return characters. A remote attacker can gain access to sensitive information.


Remediation

Install update from vendor's website.

References