7.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21237

GHSA ID

GHSA-cx3w-xqmc-84g5

EPSS Score

0.42213%

CWE

CWE-94

Published

2/15/2022

Updated

2/14/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-21237

CVE-2021-21237: Git LFS can execute a Git binary from the current directory on Windows

Impact

On Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems.

This is the result of an incomplete fix for CVE-2020-27955.

This issue occurs because on Windows, Go includes (and prefers) the current directory when the name of a command run does not contain a directory separator.

Patches

This version should be patched in v2.13.2, which will be released in coordination with this security advisory.

Workarounds

Other than avoiding untrusted repositories or using a different operating system, there is no workaround.

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

Start a discussion in the Git LFS discussion page.
If you cannot open a discussion, please email the core team using their usernames at github.com.

(GitHub Advisory)

7.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21237

GHSA ID

GHSA-cx3w-xqmc-84g5

EPSS Score

0.42213%

CWE

CWE-94

Published

2/15/2022

Updated

2/14/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/git-lfs/git-lfs	go	< 2.13.2	2.13.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from using Go's os/exec.Command without proper PATH sanitization on Windows. The commit diff shows systematic replacement of exec.Command with a custom subprocess.ExecCommand that performs safe PATH resolution. The affected functions were all modified in the security patch, directly calling exec.Command with external command names (like 'git') without directory separators, making them susceptible to executing malicious binaries in the current working directory due to Go's PATH search behavior on Windows.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t On Win*ows, i* *it L*S op*r*t*s on * m*li*ious r*pository wit* * *it.**t or *it.*x* *il* in t** *urr*nt *ir**tory, t**t pro*r*m woul* ** *x**ut**, p*rmittin* t** *tt**k*r to *x**ut* *r*itr*ry *o**. T*is *o*s not *****t Unix syst*ms. T*is

Reasoning

T** vuln*r**ility st*ms *rom usin* *o's `os/*x**.*omm*n*` wit*out prop*r P*T* s*nitiz*tion on Win*ows. T** *ommit *i** s*ows syst*m*ti* r*pl***m*nt o* `*x**.*omm*n*` wit* * *ustom `su*pro**ss.*x***omm*n*` t**t p*r*orms s*** P*T* r*solution. T** *****

7.2

Basic Information

Concerned about an active attack path?

CVE-2021-21237: Git LFS can execute a Git binary from the current directory on Windows

Impact

Patches

Workarounds

References

For more information

7.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI