CVE-2021-21237

Опубликовано: 15 янв. 2021

Источник: ubuntu

Приоритет: medium

EPSS Низкий

CVSS2: 4.6

CVSS3: 7.2

Описание

Git LFS is a command line extension for managing large files with Git. On Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems. This is the result of an incomplete fix for CVE-2020-27955. This issue occurs because on Windows, Go includes (and prefers) the current directory when the name of a command run does not contain a directory separator. Other than avoiding untrusted repositories or using a different operating system, there is no workaround. This is fixed in v2.13.2.

Релиз	Статус	Примечание
bionic	ignored	end of standard support, was needed
devel	not-affected	2.13.2-1
esm-apps/bionic	not-affected	vulnerability only affects Windows
esm-apps/focal	not-affected	vulnerability only affects Windows
esm-apps/jammy	not-affected	2.13.2-1
esm-apps/noble	not-affected	2.13.2-1
esm-infra-legacy/trusty	DNE
focal	ignored	end of standard support, was needed
groovy	ignored	end of life
hirsute	not-affected	2.13.2-1

Показывать по

Ссылки на источники

EPSS

Процентиль: 42%

0.00197

Низкий

4.6 Medium

CVSS2

7.2 High

CVSS3

Связанные уязвимости

CVE-2021-21237

CVSS3: 7.2

nvd

около 5 лет назад

CVE-2021-21237

CVSS3: 7.2

debian

около 5 лет назад

Git LFS is a command line extension for managing large files with Git. ...

GHSA-cx3w-xqmc-84g5

CVSS3: 7.2

github

почти 4 года назад

Git LFS can execute a Git binary from the current directory on Windows

EPSS

Процентиль: 42%

0.00197

Низкий

4.6 Medium

CVSS2

7.2 High

CVSS3

CVE-2021-21237

Описание

Пакет git-lfs

Ссылки на источники

Связанные уязвимости