Vulnerability Details : CVE-2021-21237
Git LFS is a command line extension for managing large files with Git. On Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems. This is the result of an incomplete fix for CVE-2020-27955. This issue occurs because on Windows, Go includes (and prefers) the current directory when the name of a command run does not contain a directory separator. Other than avoiding untrusted repositories or using a different operating system, there is no workaround. This is fixed in v2.13.2.
Vulnerability category: File inclusionExecute code
Products affected by CVE-2021-21237
- cpe:2.3:a:git_large_file_storage_project:git_large_file_storage:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-21237
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 18 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-21237
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.6
|
MEDIUM | AV:L/AC:L/Au:N/C:P/I:P/A:P |
3.9
|
6.4
|
NIST | |
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST | |
7.2
|
HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N |
0.8
|
5.8
|
GitHub, Inc. |
CWE ids for CVE-2021-21237
-
The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.Assigned by: security-advisories@github.com (Primary)
References for CVE-2021-21237
-
https://github.com/git-lfs/git-lfs/releases/tag/v2.13.2
Release v2.13.2 · git-lfs/git-lfs · GitHubThird Party Advisory
-
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27955
CVE - CVE-2020-27955Third Party Advisory
-
https://github.com/git-lfs/git-lfs/commit/fc664697ed2c2081ee9633010de0a7f9debea72a
Merge pull request from GHSA-cx3w-xqmc-84g5 · git-lfs/git-lfs@fc66469 · GitHubPatch;Third Party Advisory
-
https://github.com/git-lfs/git-lfs/security/advisories/GHSA-cx3w-xqmc-84g5
Git LFS can execute a Git binary from the current directory on Windows · Advisory · git-lfs/git-lfs · GitHubThird Party Advisory
Jump to