CVE-2021-21237

Name of the Vulnerable Software and Affected Versions: Git LFS versions prior to 2.13.2

Description: The issue occurs on Windows when Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, allowing the execution of arbitrary code. This is due to the standard library behavior of exec.LookPath on Windows and the fact that Go includes and prefers the current directory when the name of a command run does not contain a directory separator. This issue does not affect Unix systems and is a result of an incomplete fix for a previous issue.

Recommendations: For versions prior to 2.13.2, update to version 2.13.2 to resolve the issue. As a temporary workaround, consider avoiding untrusted repositories or using a different operating system until the update is applied.