Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-21300

Git is an open-source distributed revision control system. In affected versions of Git a specially crafted repository that contains symbolic links as well as files using a clean/smudge filter such as Git LFS, may cause just-checked out script to be executed while cloning onto a case-insensitive file system such as NTFS, HFS+ or APFS (i.e. the default file systems on Windows and macOS). Note that clean/smudge filters have to be configured for that. Git for Windows configures Git LFS by default, and is therefore vulnerable. The problem has been patched in the versions published on Tuesday, March 9th, 2021. As a workaound, if symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. Likewise, if no clean/smudge filters such as Git LFS are configured globally (i.e. _before_ cloning), the attack is foiled. As always, it is best to avoid cloning repositories from untrusted sources. The earliest impacted version is 2.14.2. The fix versions are: 2.30.1, 2.29.3, 2.28.1, 2.27.1, 2.26.3, 2.25.5, 2.24.4, 2.23.4, 2.22.5, 2.21.4, 2.20.5, 2.19.6, 2.18.5, 2.17.62.17.6.

Published

2021-03-09T20:15:13.260

Last Modified

2024-11-21T05:47:58.407

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.0 (HIGH)

CVSSv2 Vector

AV:N/AC:H/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: HIGH
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

4.9

Impact Score

6.4

Weaknesses

Type: Secondary
CWE-59
Type: Primary
CWE-59

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	git-scm	git	≤ 2.14.2	Yes
Application	git-scm	git	< 2.17.6	Yes
Application	git-scm	git	< 2.18.5	Yes
Application	git-scm	git	< 2.19.6	Yes
Application	git-scm	git	< 2.20.5	Yes
Application	git-scm	git	< 2.21.4	Yes
Application	git-scm	git	< 2.22.5	Yes
Application	git-scm	git	< 2.23.4	Yes
Application	git-scm	git	< 2.24.4	Yes
Application	git-scm	git	< 2.25.5	Yes
Application	git-scm	git	< 2.26.3	Yes
Application	git-scm	git	< 2.29.3	Yes
Application	git-scm	git	< 2.30.2	Yes
Application	git-scm	git	2.27.0	Yes
Application	git-scm	git	2.28.0	Yes
Operating System	fedoraproject	fedora	32	Yes
Operating System	fedoraproject	fedora	33	Yes
Operating System	fedoraproject	fedora	34	Yes
Application	apple	xcode	< 12.5	Yes
Operating System	apple	macos	≥ 11.0	No
Operating System	debian	debian_linux	10.0	Yes

References

http://packetstormsecurity.com/files/163978/Git-LFS-Clone-Command-Execution.html Exploit, Third Party Advisory, VDB Entry ([email protected])
http://seclists.org/fulldisclosure/2021/Apr/60 Mailing List, Third Party Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2021/03/09/3 Exploit, Mailing List, Third Party Advisory ([email protected])
https://git-scm.com/docs/git-config#Documentation/git-config.txt-coresymlinks Vendor Advisory ([email protected])
https://git-scm.com/docs/gitattributes#_filter Vendor Advisory ([email protected])
https://github.com/git/git/commit/684dd4c2b414bcf648505e74498a608f28de4592 Patch, Third Party Advisory ([email protected])
https://github.com/git/git/security/advisories/GHSA-8prw-h3cq-mghm Third Party Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2022/10/msg00014.html Mailing List, Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BBPNGLQSYJHLZZ37BO42YY6S5OTIF4L4/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LCLJJLKKMS5WRFO6C475AOUZTWQLIARX/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LMXX2POK5X576BSDWSXGU7EIK6I72ERU/ ([email protected])
https://lore.kernel.org/git/xmqqim6019yd.fsf%40gitster.c.googlers.com/ ([email protected])
https://security.gentoo.org/glsa/202104-01 Third Party Advisory ([email protected])
https://support.apple.com/kb/HT212320 Third Party Advisory ([email protected])
http://packetstormsecurity.com/files/163978/Git-LFS-Clone-Command-Execution.html Exploit, Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://seclists.org/fulldisclosure/2021/Apr/60 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2021/03/09/3 Exploit, Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://git-scm.com/docs/git-config#Documentation/git-config.txt-coresymlinks Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://git-scm.com/docs/gitattributes#_filter Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/git/git/commit/684dd4c2b414bcf648505e74498a608f28de4592 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/git/git/security/advisories/GHSA-8prw-h3cq-mghm Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2022/10/msg00014.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BBPNGLQSYJHLZZ37BO42YY6S5OTIF4L4/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LCLJJLKKMS5WRFO6C475AOUZTWQLIARX/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LMXX2POK5X576BSDWSXGU7EIK6I72ERU/ (af854a3a-2127-422b-91ae-364da2661108)
https://lore.kernel.org/git/xmqqim6019yd.fsf%40gitster.c.googlers.com/ (af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/202104-01 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://support.apple.com/kb/HT212320 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)