CVE-2021-21237

Git LFS is a command line extension for managing large files with Git. On Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems. This is the result of an incomplete fix for CVE-2020-27955. This issue occurs because on Windows, Go includes (and prefers) the current directory when the name of a command run does not contain a directory separator. Other than avoiding untrusted repositories or using a different operating system, there is no workaround. This is fixed in v2.13.2.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.2 HIGH
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
GitHub_MCNA
7.2 HIGH
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 42%
VendorProductVersion
git_large_file_storage_projectgit_large_file_storage
𝑥
< 2.13.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
git-lfs
bullseye
2.13.2-1
fixed
bookworm
3.3.0-1
fixed
sid
3.5.0-1
fixed
trixie
3.5.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
git-lfs
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
not-affected
jammy
not-affected
impish
not-affected
hirsute
not-affected
groovy
ignored
focal
needed
bionic
needed
xenial
dne
trusty
dne