A flaw was found in Git. This vulnerability occurs when Git requests credentials via a terminal prompt, for example, without the use of a credential helper. During this process, Git displays the host name for which the credentials are needed, but any URL-encoded parts are decoded and displayed directly. This can allow an attacker to manipulate URLs by including ANSI escape sequences, which can be interpreted by the terminal to mislead users by tricking them into entering passwords that are redirected to malicious attacker-controlled sites.

A flaw was found in Git. Git defines a line-based protocol that is used to exchange information between Git and Git credential helpers. Some ecosystems, most notably .NET and node.js, interpret single Carriage Return characters as newlines, which render the protections against CVE-2020-5260 incomplete for credential helpers, which has the potential to expose stored credentials to malicious URLs.

A vulnerability has been identified in the gitk application that could lead to unauthorized file modification or data loss.

Git could allow a remote authenticated attacker to execute arbitrary code on the system, caused by improper input validation of gitk filename.

A vulnerability was found in the git GUI package. When a user clones an untrusted repository and edits a file located in a maliciously named directory, git GUI may end up creating or overwriting arbitrary files for the running user has written permission. This flaw allows an attacker to modify the content of target files without the affected user's intent, resulting in a data integrity issue.

A line-end handling flaw was found in Git. When writing a config entry, values with a trailing carriage return (CR) are not quoted, resulting in the CR being lost when the config is read later. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read, resulting in the submodule being checked out to an incorrect location.

A bundled uri handling flaw was found in Git. When cloning a repository, Git knows to optionally fetch a bundle advertised by the remote server, which allows the server side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection.