Summary: The ‘Clone2Leak’ attacks expose several vulnerabilities in Git and its credential helpers that can lead to credential leaks, including passwords and access tokens. Discovered by researcher RyotaK, these flaws have been responsibly reported and subsequently patched. Users are advised to update their tools and employ further security measures to protect against potential exploitation.
Affected: Git, GitHub Desktop, Git LFS, GitHub CLI/Codespaces, Git Credential Manager
Keypoints :
- Three main vulnerabilities: carriage return smuggling, newline injection, and logic flaws in credential retrieval.
- Attackers can exploit these vulnerabilities by tricking Git into leaking stored credentials during interactions with malicious repositories.
- Users should upgrade to safe versions of affected tools and enable ‘credential.protectProtocol’ for enhanced security.