CVE-2021-21237

EUVD-2022-0965
Git LFS is a command line extension for managing large files with Git. On Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems. This is the result of an incomplete fix for CVE-2020-27955. This issue occurs because on Windows, Go includes (and prefers) the current directory when the name of a command run does not contain a directory separator. Other than avoiding untrusted repositories or using a different operating system, there is no workaround. This is fixed in v2.13.2.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.2 HIGH
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
GitHub_MCNA
7.2 HIGH
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 41%
Affected Products (NVD)
VendorProductVersion
git_large_file_storage_projectgit_large_file_storage
𝑥
< 2.13.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
git-lfs
bookworm
3.3.0-1
fixed
bullseye
2.13.2-1
fixed
sid
3.5.0-1
fixed
trixie
3.5.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
git-lfs
bionic
needed
focal
needed
groovy
ignored
hirsute
not-affected
impish
not-affected
jammy
not-affected
kinetic
not-affected
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
dne
xenial
dne
Common Weakness Enumeration
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27955
https://github.com/git-lfs/git-lfs/commit/fc664697ed2c2081ee9633010de0a7f9debea72a
https://github.com/git-lfs/git-lfs/releases/tag/v2.13.2
https://github.com/git-lfs/git-lfs/security/advisories/GHSA-cx3w-xqmc-84g5
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27955
https://github.com/git-lfs/git-lfs/commit/fc664697ed2c2081ee9633010de0a7f9debea72a
https://github.com/git-lfs/git-lfs/releases/tag/v2.13.2
https://github.com/git-lfs/git-lfs/security/advisories/GHSA-cx3w-xqmc-84g5