github.com/git-lfs/git-lfs is vulnerable to arbitrary code execution. A remote attacker is able to inject and execute malicious ..exe
programs on targeted system when Git LFS
operates on a malicious repository with a ..exe
file as well as a file named git.exe
, and git.exe
is not found in any directory listed in PATH
.
CPE | Name | Operator | Version |
---|---|---|---|
github.com/git-lfs/git-lfs | le | v3.1.2 | |
github.com/git-lfs/git-lfs | le | v3.1.2 |