Git LFS can execute a Git binary from the current directory on Windows
CVE-2021-21237

7.2HIGH

Key Information:

Vendor: Git-lfs
Status: Git-lfs
Vendor: CVE Published:; 15 January 2021

What is CVE-2021-21237?

Git LFS is a command line extension for managing large files with Git. On Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems. This is the result of an incomplete fix for CVE-2020-27955. This issue occurs because on Windows, Go includes (and prefers) the current directory when the name of a command run does not contain a directory separator. Other than avoiding untrusted repositories or using a different operating system, there is no workaround. This is fixed in v2.13.2.

Affected Version(s)

git-lfs < 2.13.2

References

https://github.com/git-lfs/git-lfs/security/advisories/GH...

x_refsource_CONFIRM

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2...

x_refsource_MISC

https://github.com/git-lfs/git-lfs/releases/tag/v2.13.2

x_refsource_MISC

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 15, 2021
Vulnerability Reserved
Dec 22, 2020

Git-lfs

What is CVE-2021-21237?

Affected Version(s)

References

CVSS V3.1

Timeline