CVE-2021-21300

Summary

CVE	CVE-2021-21300
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-03-09 20:15:00 UTC
Updated	2023-11-07 03:29:00 UTC
Description	Git is an open-source distributed revision control system. In affected versions of Git a specially crafted repository that contains symbolic links as well as files using a clean/smudge filter such as Git LFS, may cause just-checked out script to be executed while cloning onto a case-insensitive file system such as NTFS, HFS+ or APFS (i.e. the default file systems on Windows and macOS). Note that clean/smudge filters have to be configured for that. Git for Windows configures Git LFS by default, and is therefore vulnerable. The problem has been patched in the versions published on Tuesday, March 9th, 2021. As a workaound, if symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. Likewise, if no clean/smudge filters such as Git LFS are configured globally (i.e. _before_ cloning), the attack is foiled. As always, it is best to avoid cloning repositories from untrusted sources. The earliest impacted version is 2.14.2. The fix versions are: 2.30.1, 2.29.3, 2.28.1, 2.27.1, 2.26.3, 2.25.5, 2.24.4, 2.23.4, 2.22.5, 2.21.4, 2.20.5, 2.19.6, 2.18.5, 2.17.62.17.6.

Risk And Classification

Problem Types: CWE-59

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Apple	Macos	All	All	All	All
Application	Apple	Xcode	All	All	All	All
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Fedoraproject	Fedora	32	All	All	All
Operating System	Fedoraproject	Fedora	33	All	All	All
Operating System	Fedoraproject	Fedora	34	All	All	All
Application	Git-scm	Git	All	All	All	All
Application	Git-scm	Git	2.27.0	All	All	All
Application	Git-scm	Git	2.28.0	All	All	All
Application	Git-scm	Git	All	All	All	All

References

Reference	Source	Link	Tags
[ANNOUNCE] Git v2.30.2 and below for CVE-2021-21300 - Junio C Hamano		lore.kernel.org
[ANNOUNCE] Git v2.30.2 and below for CVE-2021-21300 - Junio C Hamano	MISC	lore.kernel.org	Release Notes, Third Party Advisory
malicious repositories can execute remote code while cloning · Advisory · git/git · GitHub	CONFIRM	github.com	Third Party Advisory
[SECURITY] Fedora 33 Update: git-2.30.2-1.fc33 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
Git: User-assisted execution of arbitrary code (GLSA 202104-01) — Gentoo security	GENTOO	security.gentoo.org
checkout: fix bug that makes checkout follow symlinks in leading path · git/git@684dd4c · GitHub	MISC	github.com	Patch, Third Party Advisory
[SECURITY] Fedora 33 Update: git-2.30.2-1.fc33 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org	Third Party Advisory
[SECURITY] Fedora 34 Update: git-2.30.2-1.fc34 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
git-config(1) Manual Page	MISC	git-scm.com	Vendor Advisory
[SECURITY] Fedora 32 Update: git-2.26.3-2.fc32 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org	Third Party Advisory
[SECURITY] Fedora 32 Update: git-2.26.3-2.fc32 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[SECURITY] Fedora 34 Update: git-2.30.2-1.fc34 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
Full Disclosure: APPLE-SA-2021-04-26-10 Xcode 12.5	FULLDISC	seclists.org
About the security content of Xcode 12.5 - Apple Support	CONFIRM	support.apple.com
Git LFS Clone Command Execution ≈ Packet Storm	MISC	packetstormsecurity.com
oss-security - git: malicious repositories can execute remote code while cloning	MLIST	www.openwall.com	Exploit, Mailing List, Third Party Advisory
gitattributes(5) Manual Page	MISC	git-scm.com	Vendor Advisory
[SECURITY] [DLA 3145-1] git security update	MLIST	lists.debian.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

174776 SUSE Enterprise Linux Security update for git (SUSE-SU-2021:0757-1)
179664 Debian Security Update for git (CVE-2021-21300)
181127 Debian Security Update for git (DLA 3145-1)
281506 Fedora Security Update for git (FEDORA-2021-63fcbd126e)
281507 Fedora Security Update for git (FEDORA-2021-ffd0b2108d)
281508 Fedora Security Update for git (FEDORA-2021-03e61a6647)
296067 Oracle Solaris 11.4 Support Repository Update (SRU) 33.94.0 Missing (CPUAPR2021)
352255 Amazon Linux Security Advisory for git: ALAS-2021-1490
352257 Amazon Linux Security Advisory for git: ALAS2-2021-1621
375511 Apple Xcode Prior To 12.5 Vulnerability (HT212320)
500222 Alpine Linux Security Update for git
501411 Alpine Linux Security Update for git
503966 Alpine Linux Security Update for git
670327 EulerOS Security Update for git (EulerOS-SA-2021-1897)
670354 EulerOS Security Update for git (EulerOS-SA-2021-1870)
670381 EulerOS Security Update for git (EulerOS-SA-2021-1944)
670402 EulerOS Security Update for git (EulerOS-SA-2021-1923)
710011 Gentoo Linux Git User-assisted Execution of Arbitrary Code Vulnerability (GLSA 202104-01)
750320 OpenSUSE Security Update for git (openSUSE-SU-2021:0405-1)
750907 OpenSUSE Security Update for git (openSUSE-SU-2021:2555-1)