New versions of Git have been released today to address a security vulnerability (CVE-2020-5260) found in versions 2.26 and older. The update addresses an issue with Git's credential helpers mechanism whereby a carefully crafted URL could be used to trick Git into sending your credentials to a remote server.
Upgrade to the latest Git version
The most effective way to protect against this vulnerability is to upgrade to 2.26.1. If you can’t update immediately, reduce your risk with the following:
- Avoid running
git clone
with--recurse-submodules
against untrusted repositories - Disable using credential helpers:
- Globally:
git config --global --unset credential.helper
- In each repository:
git config --unset credential.helper
- Globally:
Atlassian has investigated the impact of this vulnerability for our products that employ Git.
- Bitbucket Server/Data Center is not affected.
- Bamboo is not affected.
- Fisheye/Crucible are not affected.
- Bitbucket Cloud is not affected. If you use Pipelines to run scripts that explicitly clone submodules or use credential helpers, you should ensure that you upgrade Git to 2.26.1 in your Docker image
- Sourcetree users should upgrade to the latest version of Git and select the option to use system Git to help protect against this vulnerability. An update to the embedded version of Git in Sourcetree for Mac and Windows users is forthcoming.
For our server products (Bitbucket Server/Data Center, Bamboo, Fisheye, and Crucible), if you or another system admin have configured your own credential helpers or credentials files outside of the product's standard installation, you should upgrade Git to 2.26.1 to be safe.
Credit for finding these vulnerabilities goes to Felix Wilhelm of Google Project Zero.