PT-2020-16878 · Github · Git+1

Dawid Golunski

Published

2020-11-05

Updated

2024-03-06

CVE-2020-27955

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Git LFS versions 2.12.0 Git versions prior to 2.29.2

Description The issue allows Remote Code Execution (RCE) on Windows systems when Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory. This occurs because on Windows, Go includes (and prefers) the current directory when the name of a command run does not contain a directory separator. The problem does not affect Unix systems.

Recommendations For Git LFS version 2.12.0, update to version 2.12.1 or later. For Git versions prior to 2.29.2, update to version 2.29.2 or later. As a temporary workaround, consider avoiding untrusted repositories until a patch is available.

Exploit

Fix

Code Injection

Uncontrolled Search Path Element

Untrusted Search Path

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94CWE-427CWE-426

Related Identifiers

BIT-GIT-LFS-2020-27955

BIT-GIT-LFS-2021-21237

CVE-2020-27955

GHSA-4G4P-42WC-9F3M

GHSA-CX3W-XQMC-84G5

Affected Products

Git

Git Lfs

PT-2020-16878 · Github · Git+1

CVE-2020-27955

Weakness Enumeration

Related Identifiers

Affected Products

References · 40