CVE-2021-21237 — HIGH (7.2)

Q: How severe is CVE-2021-21237?

CVE-2021-21237 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-21237?

Check the references section above for vendor advisories and patch information. Affected products include: Git Large File Storage Project Git Large File Storage.

Vulnerability Description

Git LFS is a command line extension for managing large files with Git. On Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems. This is the result of an incomplete fix for CVE-2020-27955. This issue occurs because on Windows, Go includes (and prefers) the current directory when the name of a command run does not contain a directory separator. Other than avoiding untrusted repositories or using a different operating system, there is no workaround. This is fixed in v2.13.2.

CVSS Score

7.2

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Git Large File Storage Project	Git Large File Storage	< 2.13.2

Related Weaknesses (CWE)

CWE-426

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27955Third Party Advisory
https://github.com/git-lfs/git-lfs/commit/fc664697ed2c2081ee9633010de0a7f9debea7PatchThird Party Advisory
https://github.com/git-lfs/git-lfs/releases/tag/v2.13.2Third Party Advisory
https://github.com/git-lfs/git-lfs/security/advisories/GHSA-cx3w-xqmc-84g5Third Party Advisory
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27955Third Party Advisory
https://github.com/git-lfs/git-lfs/commit/fc664697ed2c2081ee9633010de0a7f9debea7PatchThird Party Advisory
https://github.com/git-lfs/git-lfs/releases/tag/v2.13.2Third Party Advisory
https://github.com/git-lfs/git-lfs/security/advisories/GHSA-cx3w-xqmc-84g5Third Party Advisory

FAQ

What is CVE-2021-21237?

CVE-2021-21237 is a vulnerability with a CVSS score of 7.2 (HIGH). Git LFS is a command line extension for managing large files with Git. On Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program w...

How severe is CVE-2021-21237?

CVE-2021-21237 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-21237?

Check the references section above for vendor advisories and patch information. Affected products include: Git Large File Storage Project Git Large File Storage.