Main Vulnerability Database SB2025011661

SB2025011661 - SUSE update for git

Published: January 16, 2025

Security Bulletin ID SB2025011661

Severity

Low

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper Encoding or Escaping of Output (CVE-ID: CVE-2024-50349)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to incorrect handling of control sequences in account names when asking for credentials. A remote attacker can trick the victim into clicking on a specially crafted URL and trick users into providing passwords for trusted Git hosting sites when in fact they are then sent to untrusted sites that are under the attacker's control.

2) Improper Encoding or Escaping of Output (CVE-ID: CVE-2024-52006)

The vulnerability allows a remote attacker to exfiltrate data.

The vulnerability exists due to newline confusion in credential helpers when interpreting single Carriage Return characters. A remote attacker can gain access to sensitive information.

Remediation

Install update from vendor's website.

References

https://www.suse.com/support/update/announcement/2025/suse-su-20250144-1/

Vulnerable Software

SUSE Linux Enterprise High Performance Computing LTSS 15: SP3 - SP5
SUSE Linux Enterprise High Performance Computing ESPOS 15: SP4 - SP5
SUSE Linux Enterprise Server 15 SP5: LTSS
SUSE Linux Enterprise Server 15 SP3: LTSS
SUSE Linux Enterprise Server 15 SP4: LTSS
SUSE Linux Enterprise Micro: 5.5
SUSE Linux Enterprise Server for SAP Applications 15: SP3 - SP5
SUSE Linux Enterprise Server 15: SP3 - SP5
SUSE Linux Enterprise High Performance Computing 15: SP3 - SP5
SUSE Enterprise Storage: 7.1
SUSE Manager Retail Branch Server: 4.3
SUSE Manager Server: 4.3
SUSE Manager Proxy: 4.3
openSUSE Leap: 15.3
git-doc: before 2.35.3-150300.10.48.1
git-cvs: before 2.35.3-150300.10.48.1
git-p4: before 2.35.3-150300.10.48.1
git-arch: before 2.35.3-150300.10.48.1
git-credential-gnome-keyring-debuginfo: before 2.35.3-150300.10.48.1
git-core-debuginfo: before 2.35.3-150300.10.48.1
git-credential-gnome-keyring: before 2.35.3-150300.10.48.1
git-svn: before 2.35.3-150300.10.48.1
git-debugsource: before 2.35.3-150300.10.48.1
git-core: before 2.35.3-150300.10.48.1
git-debuginfo: before 2.35.3-150300.10.48.1
git-credential-libsecret-debuginfo: before 2.35.3-150300.10.48.1
git-daemon: before 2.35.3-150300.10.48.1
git-credential-libsecret: before 2.35.3-150300.10.48.1
perl-Git: before 2.35.3-150300.10.48.1
git: before 2.35.3-150300.10.48.1
git-daemon-debuginfo: before 2.35.3-150300.10.48.1
gitk: before 2.35.3-150300.10.48.1
git-gui: before 2.35.3-150300.10.48.1
git-email: before 2.35.3-150300.10.48.1
git-web: before 2.35.3-150300.10.48.1