CVE-2024-52006
Published: 14 January 2025
Summary
CVE-2024-52006 is a high-severity Improper Encoding or Escaping of Output (CWE-116) vulnerability in Git Git. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unsecured Credentials (T1552); ranked in the top 20.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely remediation of flaws like CVE-2024-52006 by upgrading Git to patched versions that fix improper CR handling in credential helper protocols.
Enables detection of vulnerable Git installations through vulnerability scanning that identifies outdated versions affected by CVE-2024-52006.
Ensures receipt and dissemination of security advisories for CVE-2024-52006, facilitating awareness and initiation of patching or workaround measures.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables bypass of credential helper protocol protections, directly facilitating theft of stored Git credentials/tokens from password stores or unsecured locations during clone operations from attacker-controlled repos.
NVD Description
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. Git defines a line-based protocol that is used to exchange information between Git and Git…
more
credential helpers. Some ecosystems (most notably, .NET and node.js) interpret single Carriage Return characters as newlines, which renders the protections against CVE-2020-5260 incomplete for credential helpers that treat Carriage Returns in this way. This issue has been addressed in commit `b01b9b8` which is included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones.
Deeper analysisAI
CVE-2024-52006 affects Git, a distributed revision control system, specifically its line-based protocol used to exchange information between Git and credential helpers. Certain ecosystems, most notably .NET and node.js, interpret single Carriage Return (CR) characters as newlines, rendering the existing protections against CVE-2020-5260 incomplete for credential helpers that process CRs in this way. The vulnerability is associated with CWE-116 (Improper Encoding or Escaping of Output), CWE-147 (Less Robust Fix), and CWE-150 (Improper Neutralization of CRLF Sequences), and impacts Git versions prior to the patched releases.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), allowing remote, unauthenticated attackers with low complexity and no user interaction to achieve high-impact confidentiality violations. Exploitation occurs when users clone repositories from untrusted sources, where attackers can manipulate protocol responses using CR characters to bypass safeguards, potentially leading to unauthorized access to stored credentials via affected credential helpers.
Git has addressed the issue in commit b01b9b81d36759cdcd07305e78765199e1bc2060, which is included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Security practitioners should advise users to upgrade immediately. For those unable to upgrade, mitigation involves avoiding clones from untrusted URLs, particularly recursive clones. Detailed advisories are available from Git's GitHub security pages (GHSA-qm7j-c969-7j4q, GHSA-r5ph-xg7q-xfrp, and Git Credential Manager's GHSA-86c2-4x57-wc8g) and Debian LTS announcements.
Details
- CWE(s)