CVE-2024-53263
- ULN >
- Oracle Linux CVE repository >
- CVE-2024-53263
CVE Details
| Release Date: | 2025-01-14 | |
| Impact: | Important | What is this? |
Description
Git LFS is a Git extension for versioning large files. When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the `git-credential(1)` command without checking for embedded line-ending control characters, and then sends any credentials it receives back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker may be able to retrieve a user's Git credentials. This problem exists in all previous versions and is patched in v3.6.1. All users should upgrade to v3.6.1. There are no workarounds known at this time.
See more information about CVE-2024-53263 from MITRE CVE dictionary and NIST NVD
NOTE: The following CVSS metrics and score provided are preliminary and subject to review.
CVSS v3 metrics
| Base Score: | 8.1 |
| Vector String: | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
| Version: | 3.1 |
| Attack Vector: | Network |
| Attack Complexity: | Low |
| Privileges Required: | None |
| User Interaction: | Required |
| Scope: | Unchanged |
| Confidentiality Impact: | High |
| Integrity Impact: | High |
| Availability Impact: | None |
Errata information
| Platform | Errata | Release Date |
| Oracle Linux version 8 (git-lfs) | ELSA-2025-0845 | 2025-01-30 |
| Oracle Linux version 9 (git-lfs) | ELSA-2025-0673 | 2025-01-23 |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections:
- Oracle customers - enter a support request
- Vulnerability scanning tools vendors and project maintainers - follow the standard ISV process
