ASA-202004-13 - log back

ASA-202004-13 edited at 15 Apr 2020 18:30:51
Workaround
- The most complete workaround is to disable credential helpers altogether:
+ The most complete workaround is to disable credential helpers
+ altogether:
git config --unset credential.helper
git config --global --unset credential.helper
git config --system --unset credential.helper
An alternative is to avoid malicious URLs:
- 1. Examine the hostname and username portion of URLs fed to git clone for the presence of encoded newlines (%0a) or evidence of credential-protocol injections (e.g., host=github.com)
- 2. Avoid using submodules with untrusted repositories (don't use clone --recurse-submodules; use git submodule update only after examining the URLs found in .gitmodules)
+ 1. Examine the hostname and username portion of URLs fed to git clone
+ for the presence of encoded newlines (%0a) or evidence of credential-
+ protocol injections (e.g., host=github.com)
+ 2. Avoid using submodules with untrusted repositories (don't use clone
+ --recurse-submodules; use git submodule update only after examining the
+ URLs found in .gitmodules)
3. Avoid tools which may run git clone on untrusted URLs under the hood
ASA-202004-13 edited at 15 Apr 2020 11:30:47
Impact
- A remote attacker is able to exfiltrate credentials by providing a malicious URL.
+ A remote attacker could trick Git into returning credential information for a wrong host by providing a malicious URL.
ASA-202004-13 edited at 15 Apr 2020 10:26:21
Workaround
+ The most complete workaround is to disable credential helpers altogether:
+
+ git config --unset credential.helper
+ git config --global --unset credential.helper
+ git config --system --unset credential.helper
+
+ An alternative is to avoid malicious URLs:
+ 1. Examine the hostname and username portion of URLs fed to git clone for the presence of encoded newlines (%0a) or evidence of credential-protocol injections (e.g., host=github.com)
+ 2. Avoid using submodules with untrusted repositories (don't use clone --recurse-submodules; use git submodule update only after examining the URLs found in .gitmodules)
+ 3. Avoid tools which may run git clone on untrusted URLs under the hood
Impact
- A remote attacker can leak data by providing a malicious URL.
+ A remote attacker is able to exfiltrate credentials by providing a malicious URL.
ASA-202004-13 edited at 15 Apr 2020 07:23:07
Impact
+ A remote attacker can leak data by providing a malicious URL.
ASA-202004-13 created at 14 Apr 2020 19:18:41