CVE-2021-21237

Git LFS can execute a Git binary from the current directory on Windows

Description

Git LFS is a command line extension for managing large files with Git. On Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems. This is the result of an incomplete fix for CVE-2020-27955. This issue occurs because on Windows, Go includes (and prefers) the current directory when the name of a command run does not contain a directory separator. Other than avoiding untrusted repositories or using a different operating system, there is no workaround. This is fixed in v2.13.2.

References

Link	Tags
https://github.com/git-lfs/git-lfs/security/advisories/GHSA-cx3w-xqmc-84g5	third party advisory
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27955	third party advisory
https://github.com/git-lfs/git-lfs/releases/tag/v2.13.2	third party advisory
https://github.com/git-lfs/git-lfs/commit/fc664697ed2c2081ee9633010de0a7f9debea72a	third party advisory patch

Frequently Asked Questions

What is the severity of CVE-2021-21237?: CVE-2021-21237 has been scored as a high severity vulnerability.
How to fix CVE-2021-21237?: To fix CVE-2021-21237, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-21237 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2021-21237 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-21237?: CVE-2021-21237 affects git-lfs git-lfs.

Description

Category

CWE-426 – Untrusted Search Path

References

Frequently Asked Questions