CVE-2021-21300

Name of the Vulnerable Software and Affected Versions Git versions 2.14.2 through 2.30.0 Git versions 2.15 through 2.17.5 Git versions 2.18 through 2.18.4 Git versions 2.19 through 2.19.5 Git versions 2.20 through 2.20.4 Git versions 2.21 through 2.21.3 Git versions 2.22 through 2.22.4 Git versions 2.23 through 2.23.3 Git versions 2.24 through 2.24.3 Git versions 2.25 through 2.25.4 Git versions 2.26 through 2.26.2 Git versions 2.27 through 2.27.0 Git versions 2.28 through 2.28.0 Git versions 2.29 through 2.29.2

Description The issue is related to the Git component of the Microsoft Visual Studio development software and is associated with incorrect code generation management. A specially crafted repository containing symbolic links and files using a clean/smudge filter, such as Git LFS, may cause a just-checked-out script to be executed while cloning onto a case-insensitive file system like NTFS, HFS+, or APFS. This can allow a remote attacker to execute arbitrary code. The problem has been patched in versions published on Tuesday, March 9th, 2021. As a workaround, disabling symbolic link support in Git or not configuring clean/smudge filters globally can prevent the attack. It is best to avoid cloning repositories from untrusted sources.

Recommendations For Git versions 2.14.2 through 2.17.5, update to version 2.17.6 or later. For Git versions 2.18 through 2.18.4, update to version 2.18.5 or later. For Git versions 2.19 through 2.19.5, update to version 2.19.6 or later. For Git versions 2.20 through 2.20.4, update to version 2.20.5 or later. For Git versions 2.21 through 2.21.3, update to version 2.21.4 or later. For Git versions 2.22 through 2.22.4, update to version 2.22.5 or later. For Git versions 2.23 through 2.23.3, update to version 2.23.4 or later. For Git versions 2.24 through 2.24.3, update to version 2.24.4 or later. For Git versions 2.25 through 2.25.4, update to version 2.25.5 or later. For Git versions 2.26 through 2.26.2, update to version 2.26.3 or later. For Git versions 2.27 through 2.27.0, update to version 2.27.1 or later. For Git versions 2.28 through 2.28.0, update to version 2.28.1 or later. For Git versions 2.29 through 2.29.2, update to version 2.29.3 or later. As a temporary workaround, consider disabling symbolic link support in Git via git config --global core.symlinks false. Restrict access to clean/smudge filters such as Git LFS to minimize the risk of exploitation. Avoid using the git clone command with untrusted repositories until the issue is resolved.