{"api_version":"1","generated_at":"2026-04-23T00:42:16+00:00","cve":"CVE-2021-21300","urls":{"html":"https://cve.report/CVE-2021-21300","api":"https://cve.report/api/cve/CVE-2021-21300.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-21300","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-21300"},"summary":{"title":"CVE-2021-21300","description":"Git is an open-source distributed revision control system. In affected versions of Git a specially crafted repository that contains symbolic links as well as files using a clean/smudge filter such as Git LFS, may cause just-checked out script to be executed while cloning onto a case-insensitive file system such as NTFS, HFS+ or APFS (i.e. the default file systems on Windows and macOS). Note that clean/smudge filters have to be configured for that. Git for Windows configures Git LFS by default, and is therefore vulnerable. The problem has been patched in the versions published on Tuesday, March 9th, 2021. As a workaound, if symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. Likewise, if no clean/smudge filters such as Git LFS are configured globally (i.e. _before_ cloning), the attack is foiled. As always, it is best to avoid cloning repositories from untrusted sources. The earliest impacted version is 2.14.2. The fix versions are: 2.30.1, 2.29.3, 2.28.1, 2.27.1, 2.26.3, 2.25.5, 2.24.4, 2.23.4, 2.22.5, 2.21.4, 2.20.5, 2.19.6, 2.18.5, 2.17.62.17.6.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2021-03-09 20:15:00","updated_at":"2023-11-07 03:29:00"},"problem_types":["CWE-59"],"metrics":[],"references":[{"url":"https://lore.kernel.org/git/xmqqim6019yd.fsf%40gitster.c.googlers.com/","name":"https://lore.kernel.org/git/xmqqim6019yd.fsf%40gitster.c.googlers.com/","refsource":"","tags":[],"title":"[ANNOUNCE] Git v2.30.2 and below for CVE-2021-21300 - Junio C Hamano","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lore.kernel.org/git/xmqqim6019yd.fsf@gitster.c.googlers.com/","name":"https://lore.kernel.org/git/xmqqim6019yd.fsf@gitster.c.googlers.com/","refsource":"MISC","tags":["Release Notes","Third Party Advisory"],"title":"[ANNOUNCE] Git v2.30.2 and below for CVE-2021-21300 - Junio C Hamano","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/git/git/security/advisories/GHSA-8prw-h3cq-mghm","name":"https://github.com/git/git/security/advisories/GHSA-8prw-h3cq-mghm","refsource":"CONFIRM","tags":["Third Party Advisory"],"title":"malicious repositories can execute remote code while cloning · Advisory · git/git · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LCLJJLKKMS5WRFO6C475AOUZTWQLIARX/","name":"FEDORA-2021-63fcbd126e","refsource":"","tags":[],"title":"[SECURITY] Fedora 33 Update: git-2.30.2-1.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/202104-01","name":"GLSA-202104-01","refsource":"GENTOO","tags":[],"title":"Git: User-assisted execution of arbitrary code (GLSA 202104-01) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/git/git/commit/684dd4c2b414bcf648505e74498a608f28de4592","name":"https://github.com/git/git/commit/684dd4c2b414bcf648505e74498a608f28de4592","refsource":"MISC","tags":["Patch","Third Party Advisory"],"title":"checkout: fix bug that makes checkout follow symlinks in leading path · git/git@684dd4c · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LCLJJLKKMS5WRFO6C475AOUZTWQLIARX/","name":"FEDORA-2021-63fcbd126e","refsource":"FEDORA","tags":["Third Party Advisory"],"title":"[SECURITY] Fedora 33 Update: git-2.30.2-1.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BBPNGLQSYJHLZZ37BO42YY6S5OTIF4L4/","name":"FEDORA-2021-03e61a6647","refsource":"","tags":[],"title":"[SECURITY] Fedora 34 Update: git-2.30.2-1.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://git-scm.com/docs/git-config#Documentation/git-config.txt-coresymlinks","name":"https://git-scm.com/docs/git-config#Documentation/git-config.txt-coresymlinks","refsource":"MISC","tags":["Vendor Advisory"],"title":"git-config(1) Manual Page","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LMXX2POK5X576BSDWSXGU7EIK6I72ERU/","name":"FEDORA-2021-ffd0b2108d","refsource":"FEDORA","tags":["Third Party Advisory"],"title":"[SECURITY] Fedora 32 Update: git-2.26.3-2.fc32 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LMXX2POK5X576BSDWSXGU7EIK6I72ERU/","name":"FEDORA-2021-ffd0b2108d","refsource":"","tags":[],"title":"[SECURITY] Fedora 32 Update: git-2.26.3-2.fc32 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BBPNGLQSYJHLZZ37BO42YY6S5OTIF4L4/","name":"FEDORA-2021-03e61a6647","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 34 Update: git-2.30.2-1.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://seclists.org/fulldisclosure/2021/Apr/60","name":"20210427 APPLE-SA-2021-04-26-10 Xcode 12.5","refsource":"FULLDISC","tags":[],"title":"Full Disclosure: APPLE-SA-2021-04-26-10 Xcode 12.5","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://support.apple.com/kb/HT212320","name":"https://support.apple.com/kb/HT212320","refsource":"CONFIRM","tags":[],"title":"About the security content of Xcode 12.5 - Apple Support","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://packetstormsecurity.com/files/163978/Git-LFS-Clone-Command-Execution.html","name":"http://packetstormsecurity.com/files/163978/Git-LFS-Clone-Command-Execution.html","refsource":"MISC","tags":[],"title":"Git LFS Clone Command Execution ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2021/03/09/3","name":"[oss-security] 20210309 git: malicious repositories can execute remote code while cloning","refsource":"MLIST","tags":["Exploit","Mailing List","Third Party Advisory"],"title":"oss-security - git: malicious repositories can execute remote code while cloning","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://git-scm.com/docs/gitattributes#_filter","name":"https://git-scm.com/docs/gitattributes#_filter","refsource":"MISC","tags":["Vendor Advisory"],"title":"gitattributes(5) Manual Page","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00014.html","name":"[debian-lts-announce] 20221010 [SECURITY] [DLA 3145-1] git security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3145-1] git security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-21300","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21300","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"21300","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"apple","cpe5":"macos","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"21300","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apple","cpe5":"xcode","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"21300","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"21300","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"32","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"21300","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"33","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"21300","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"34","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"21300","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"git-scm","cpe5":"git","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"21300","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"git-scm","cpe5":"git","cpe6":"2.27.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"21300","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"git-scm","cpe5":"git","cpe6":"2.28.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"21300","vulnerable":"1","versionEndIncluding":"2.14.2","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"git-scm","cpe5":"git","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-21300","qid":"174776","title":"SUSE Enterprise Linux Security update for git (SUSE-SU-2021:0757-1)"},{"cve":"CVE-2021-21300","qid":"179664","title":"Debian Security Update for git (CVE-2021-21300)"},{"cve":"CVE-2021-21300","qid":"181127","title":"Debian Security Update for git (DLA 3145-1)"},{"cve":"CVE-2021-21300","qid":"281506","title":"Fedora Security Update for git (FEDORA-2021-63fcbd126e)"},{"cve":"CVE-2021-21300","qid":"281507","title":"Fedora Security Update for git (FEDORA-2021-ffd0b2108d)"},{"cve":"CVE-2021-21300","qid":"281508","title":"Fedora Security Update for git (FEDORA-2021-03e61a6647)"},{"cve":"CVE-2021-21300","qid":"296067","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 33.94.0 Missing (CPUAPR2021)"},{"cve":"CVE-2021-21300","qid":"352255","title":"Amazon Linux Security Advisory for git: ALAS-2021-1490"},{"cve":"CVE-2021-21300","qid":"352257","title":"Amazon Linux Security Advisory for git: ALAS2-2021-1621"},{"cve":"CVE-2021-21300","qid":"375511","title":"Apple Xcode Prior To 12.5 Vulnerability (HT212320)"},{"cve":"CVE-2021-21300","qid":"500222","title":"Alpine Linux Security Update for git"},{"cve":"CVE-2021-21300","qid":"501411","title":"Alpine Linux Security Update for git"},{"cve":"CVE-2021-21300","qid":"503966","title":"Alpine Linux Security Update for git"},{"cve":"CVE-2021-21300","qid":"670327","title":"EulerOS Security Update for git (EulerOS-SA-2021-1897)"},{"cve":"CVE-2021-21300","qid":"670354","title":"EulerOS Security Update for git (EulerOS-SA-2021-1870)"},{"cve":"CVE-2021-21300","qid":"670381","title":"EulerOS Security Update for git (EulerOS-SA-2021-1944)"},{"cve":"CVE-2021-21300","qid":"670402","title":"EulerOS Security Update for git (EulerOS-SA-2021-1923)"},{"cve":"CVE-2021-21300","qid":"710011","title":"Gentoo Linux Git User-assisted Execution of Arbitrary Code Vulnerability (GLSA 202104-01)"},{"cve":"CVE-2021-21300","qid":"750320","title":"OpenSUSE Security Update for git (openSUSE-SU-2021:0405-1)"},{"cve":"CVE-2021-21300","qid":"750907","title":"OpenSUSE Security Update for git (openSUSE-SU-2021:2555-1)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security-advisories@github.com","ID":"CVE-2021-21300","STATE":"PUBLIC","TITLE":"malicious repositories can execute remote code while cloning"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"git","version":{"version_data":[{"version_value":">= 2.14.2, < 2.17.62.17.6"},{"version_value":">= 2.18.0, < 2.18.5"},{"version_value":">= 2.19.0, < 2.19.6"},{"version_value":">= 2.20.0, < 2.20.5"},{"version_value":">= 2.21.0, < 2.21.4"},{"version_value":">= 2.22.0, < 2.22.5"},{"version_value":">= 2.23.0, < 2.23.4"},{"version_value":">= 2.24.0, < 2.24.4"},{"version_value":">= 2.25.0, < 2.25.5"},{"version_value":">= 2.26.0, < 2.26.3"},{"version_value":">= 2.27.0, < 2.27.1"},{"version_value":">= 2.28.0, < 2.28.1"},{"version_value":">= 2.29.0, < 2.29.3"},{"version_value":">= 2.30.0, < 2.30.1"}]}}]},"vendor_name":"git"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Git is an open-source distributed revision control system. In affected versions of Git a specially crafted repository that contains symbolic links as well as files using a clean/smudge filter such as Git LFS, may cause just-checked out script to be executed while cloning onto a case-insensitive file system such as NTFS, HFS+ or APFS (i.e. the default file systems on Windows and macOS). Note that clean/smudge filters have to be configured for that. Git for Windows configures Git LFS by default, and is therefore vulnerable. The problem has been patched in the versions published on Tuesday, March 9th, 2021. As a workaound, if symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. Likewise, if no clean/smudge filters such as Git LFS are configured globally (i.e. _before_ cloning), the attack is foiled. As always, it is best to avoid cloning repositories from untrusted sources. The earliest impacted version is 2.14.2. The fix versions are: 2.30.1, 2.29.3, 2.28.1, 2.27.1, 2.26.3, 2.25.5, 2.24.4, 2.23.4, 2.22.5, 2.21.4, 2.20.5, 2.19.6, 2.18.5, 2.17.62.17.6."}]},"impact":{"cvss":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-59 Improper Link Resolution Before File Access ('Link Following')"}]}]},"references":{"reference_data":[{"name":"https://github.com/git/git/security/advisories/GHSA-8prw-h3cq-mghm","refsource":"CONFIRM","url":"https://github.com/git/git/security/advisories/GHSA-8prw-h3cq-mghm"},{"name":"https://lore.kernel.org/git/xmqqim6019yd.fsf@gitster.c.googlers.com/","refsource":"MISC","url":"https://lore.kernel.org/git/xmqqim6019yd.fsf@gitster.c.googlers.com/"},{"name":"https://git-scm.com/docs/git-config#Documentation/git-config.txt-coresymlinks","refsource":"MISC","url":"https://git-scm.com/docs/git-config#Documentation/git-config.txt-coresymlinks"},{"name":"https://git-scm.com/docs/gitattributes#_filter","refsource":"MISC","url":"https://git-scm.com/docs/gitattributes#_filter"},{"name":"https://github.com/git/git/commit/684dd4c2b414bcf648505e74498a608f28de4592","refsource":"MISC","url":"https://github.com/git/git/commit/684dd4c2b414bcf648505e74498a608f28de4592"},{"refsource":"MLIST","name":"[oss-security] 20210309 git: malicious repositories can execute remote code while cloning","url":"http://www.openwall.com/lists/oss-security/2021/03/09/3"},{"refsource":"FEDORA","name":"FEDORA-2021-63fcbd126e","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LCLJJLKKMS5WRFO6C475AOUZTWQLIARX/"},{"refsource":"FEDORA","name":"FEDORA-2021-ffd0b2108d","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LMXX2POK5X576BSDWSXGU7EIK6I72ERU/"},{"refsource":"FEDORA","name":"FEDORA-2021-03e61a6647","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BBPNGLQSYJHLZZ37BO42YY6S5OTIF4L4/"},{"refsource":"CONFIRM","name":"https://support.apple.com/kb/HT212320","url":"https://support.apple.com/kb/HT212320"},{"refsource":"FULLDISC","name":"20210427 APPLE-SA-2021-04-26-10 Xcode 12.5","url":"http://seclists.org/fulldisclosure/2021/Apr/60"},{"refsource":"GENTOO","name":"GLSA-202104-01","url":"https://security.gentoo.org/glsa/202104-01"},{"refsource":"MISC","name":"http://packetstormsecurity.com/files/163978/Git-LFS-Clone-Command-Execution.html","url":"http://packetstormsecurity.com/files/163978/Git-LFS-Clone-Command-Execution.html"},{"refsource":"MLIST","name":"[debian-lts-announce] 20221010 [SECURITY] [DLA 3145-1] git security update","url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00014.html"}]},"source":{"advisory":"GHSA-8prw-h3cq-mghm","discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2021-03-09 20:15:00","lastModifiedDate":"2023-11-07 03:29:00","problem_types":["CWE-59"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":1.6,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:H/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"HIGH","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":5.1},"severity":"MEDIUM","exploitabilityScore":4.9,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*","versionEndIncluding":"2.14.2","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*","versionStartIncluding":"2.25.0","versionEndExcluding":"2.25.5","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*","versionStartIncluding":"2.24.0","versionEndExcluding":"2.24.4","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*","versionStartIncluding":"2.23.0","versionEndExcluding":"2.23.4","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*","versionStartIncluding":"2.22.0","versionEndExcluding":"2.22.5","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*","versionStartIncluding":"2.21.0","versionEndExcluding":"2.21.4","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*","versionStartIncluding":"2.20.0","versionEndExcluding":"2.20.5","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*","versionStartIncluding":"2.19.0","versionEndExcluding":"2.19.6","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*","versionStartIncluding":"2.18.0","versionEndExcluding":"2.18.5","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*","versionStartIncluding":"2.17.0","versionEndExcluding":"2.17.6","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*","versionStartIncluding":"2.26.0","versionEndExcluding":"2.26.3","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*","versionStartIncluding":"2.29.0","versionEndExcluding":"2.29.3","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*","versionStartIncluding":"2.30.0","versionEndExcluding":"2.30.2","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:git-scm:git:2.27.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:git-scm:git:2.28.0:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apple:xcode:*:*:*:*:*:*:*:*","versionEndExcluding":"12.5","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*","versionStartIncluding":"11.0","cpe_name":[]}]}],"cpe_match":[]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"21300","Ordinal":"195426","Title":"CVE-2021-21300","CVE":"CVE-2021-21300","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"21300","Ordinal":"1","NoteData":"Git is an open-source distributed revision control system. In affected versions of Git a specially crafted repository that contains symbolic links as well as files using a clean/smudge filter such as Git LFS, may cause just-checked out script to be executed while cloning onto a case-insensitive file system such as NTFS, HFS+ or APFS (i.e. the default file systems on Windows and macOS). Note that clean/smudge filters have to be configured for that. Git for Windows configures Git LFS by default, and is therefore vulnerable. The problem has been patched in the versions published on Tuesday, March 9th, 2021. As a workaound, if symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. Likewise, if no clean/smudge filters such as Git LFS are configured globally (i.e. _before_ cloning), the attack is foiled. As always, it is best to avoid cloning repositories from untrusted sources. The earliest impacted version is 2.14.2. The fix versions are: 2.30.1, 2.29.3, 2.28.1, 2.27.1, 2.26.3, 2.25.5, 2.24.4, 2.23.4, 2.22.5, 2.21.4, 2.20.5, 2.19.6, 2.18.5, 2.17.62.17.6.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"21300","Ordinal":"2","NoteData":"2021-03-09","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"21300","Ordinal":"3","NoteData":"2021-08-31","Type":"Other","Title":"Modified"}]}}}