CVE-2021-21300

Git is an open-source distributed revision control system. In affected
versions of Git a specially crafted repository that contains symbolic links
as well as files using a clean/smudge filter such as Git LFS, may cause
just-checked out script to be executed while cloning onto a
case-insensitive file system such as NTFS, HFS+ or APFS (i.e. the default
file systems on Windows and macOS). Note that clean/smudge filters have to
be configured for that. Git for Windows configures Git LFS by default, and
is therefore vulnerable. The problem has been patched in the versions
published on Tuesday, March 9th, 2021. As a workaound, if symbolic link
support is disabled in Git (e.g. via git config --global core.symlinks false), the described attack won’t work. Likewise, if no clean/smudge
filters such as Git LFS are configured globally (i.e. before cloning),
the attack is foiled. As always, it is best to avoid cloning repositories
from untrusted sources. The earliest impacted version is 2.14.2. The fix
versions are: 2.30.1, 2.29.3, 2.28.1, 2.27.1, 2.26.3, 2.25.5, 2.24.4,
2.23.4, 2.22.5, 2.21.4, 2.20.5, 2.19.6, 2.18.5, 2.17.62.17.6.