Credential-leaking vulnerability in some Git credential managers

Security researcher RyotaKhas shared a series of vulnerabilities that all have to do with how Gitinterfaces with externalcredential managers. In short, while Git guards against newline characters(\n) being injected into a repository's URL, some programming languagesalso treat carriage return characters (\r) as being newlines. Adding acarriage return to a repository's URL can cause Git and the credential managerto disagree on how the URL should be parsed, ultimately resulting in Gitcredentials being sent to the wrong host. Malicious repositories could includeGit submodules with malformed URLs, triggering the bug. Only password-based authenticationwith an external credential manager isvulnerable to this attack; SSH-based authentication remains secure. The Git projecthas chosen to consider this a vulnerability in Git, given the large amount ofexternal software affected. The project has fixed the bug on its end byreleasing updates for all supported versions that bancarriage returns in URLs entirely.

Affected software includes GitHub Desktop, Git LFS, and possibly other Git utilities:

Since Git itself doesn't use .lfsconfig file, specifying the URL that containsthe newline character in .lfsconfig causes Git LFS to insert the newline characterinto the message, while bypassing [...] Git's validation.