VDB

GCVE-110-MAGEIA-2020-181

GCVE-110-MAGEIA-2020-181
Advisory Published
Vulnetix · Advisory published April 24, 2020
Updated git packages fix security vulnerability: Malicious URLs can still cause Git to send a stored credential to the wrong server (CvE-2020-111008). With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted. Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the credentials are not for a host of the attacker's choosing; instead, they are for some unspecified host (based on how the configured credential helper handles an absent "host" parameter). The attack has been made impossible by refusing to work with under-specified credential patterns.

Affected Products

VendorProductVersionsPlatforms
Mageiavlc0 (affected), 3.0.11.1-1.mga7 (unaffected), 3.0.11.1-1.mga7.tainted (unaffected), 0 (affected)
Mageiagit0 (affected), 2.21.3-1.mga7 (unaffected), 2.21.3-1.mga7 (unaffected), 0 (affected)

Browse GCVE Records

73,834 records in the GCVE database · Updated July 19, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›