Git clone vulnerability announced

2021-03-0918:00:45

Taylor Blau

github.blog

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

5.1 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

JSON

Today, the Git project released new versions to address CVE-2021-21300: a security vulnerability in the delayed checkout mechanism used by Git LFS during git clone operations affecting versions 2.15 and newer.

These updates address an issue where a specially crafted repository can execute code during a git clone on case-insensitive filesystems which support symbolic links by abusing certain types of clean/smudge filters, like those configured by Git LFS.

Upgrade to the latest Git version

The most effective way to protect against this vulnerability is to upgrade to 2.30.2. If you can’t update immediately, you can reduce your risk by doing any of the following:

Disable support for symbolic links in Git by running git config --global core.symlinks false.
Disable support for process filters. (You can see if any of these are configured on your system by running git config --show-scope --get-regexp 'filter\..*\.process'1)
Avoid cloning untrusted repositories.

GitHub itself is not vulnerable to this attack. We do not store checked out copies of repositories on our servers, except for GitHub Pages, which does not use any clean/smudge filters.

Credit for finding and fixing this vulnerability is shared among Matheus Tavares and Johannes Schindelin.

Download Git 2.30.2.

1. In the Windows Command Prompt, replace the single quotes in this example with double quotes.