7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
5.1 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
0.903 High
EPSS
Percentile
98.8%
Severity: Low
Date : 2021-03-13
CVE-ID : CVE-2021-21300
Package : git
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-1665
The package git before version 2.30.2-1 is vulnerable to arbitrary code
execution.
Upgrade to 2.30.2-1.
The problem has been fixed upstream in version 2.30.2.
None.
In affected versions of Git a specially crafted repository that
contains symbolic links as well as files using a clean/smudge filter
such as Git LFS, may cause just-checked out script to be executed while
cloning onto a case-insensitive file system such as NTFS, HFS+ or APFS.
Note that clean/smudge filters have to be configured for that. As a
workaround, if symbolic link support is disabled in Git (e.g. via git config --global core.symlinks false
), the described attack wonβt work.
Likewise, if no clean/smudge filters such as Git LFS are configured
globally (i.e. before cloning), the attack is foiled. As always, it
is best to avoid cloning repositories from untrusted sources. The
earliest impacted version is 2.14.2. The fix versions are: 2.30.1,
2.29.3, 2.28.1, 2.27.1, 2.26.3, 2.25.5, 2.24.4, 2.23.4, 2.22.5, 2.21.4,
2.20.5, 2.19.6, 2.18.5, 2.17.62.17.6.
Under certain circumstances, a remote attacker might be able to execute
arbitrary code by getting a local user to clone a crafted repository.
https://github.com/git/git/security/advisories/GHSA-8prw-h3cq-mghm
https://lore.kernel.org/git/[email protected]/
https://git.kernel.org/pub/scm/git/git.git/commit/?id=684dd4c2b414bcf648505e74498a608f28de4592
https://security.archlinux.org/CVE-2021-21300
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
5.1 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
0.903 High
EPSS
Percentile
98.8%