Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Maliciously crafted remote URLs could lead to credential leak in GitHub Desktop
Vulnerability Description
GitHub Desktop is an open-source Electron-based GitHub app designed for git development. An attacker convincing a user to clone a repository directly or through a submodule can allow the attacker access to the user's credentials through the use of maliciously crafted remote URL. GitHub Desktop relies on Git to perform all network related operations (such as cloning, fetching, and pushing). When a user attempts to clone a repository GitHub Desktop will invoke `git clone` and when Git encounters a remote which requires authentication it will request the credentials for that remote host from GitHub Desktop using the git-credential protocol. Using a maliciously crafted URL it's possible to cause the credential request coming from Git to be misinterpreted by Github Desktop such that it will send credentials for a different host than the host that Git is currently communicating with thereby allowing for secret exfiltration. GitHub username and OAuth token, or credentials for other Git remote hosts stored in GitHub Desktop could be improperly transmitted to an unrelated host. Users should update to GitHub Desktop 3.4.12 or greater which fixes this vulnerability. Users who suspect they may be affected should revoke any relevant credentials.
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Vulnerability Type
不充分的凭证保护机制
Vulnerability Title
GitHub Desktop 安全漏洞
Vulnerability Description
GitHub Desktop是GitHub Desktop开源的一个 GitHub 桌面版。 GitHub Desktop 3.4.12之前版本存在安全漏洞,该漏洞源于攻击者诱使用户直接或通过子模块克隆存储库,可允许攻击者通过使用恶意制作的远程URL访问用户的凭据。
CVSS Information
N/A
Vulnerability Type
N/A