Vulnerability in Git
CVE-2021-21300
Git is an open-source distributed revision control system. In affected versions of Git a specially crafted repository that contains symbolic links as well as files using a clean/smudge filter such as Git LFS, may cause just-checked out scr…
EPSS: 0.619 (98.4th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 8.0 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N.
Affected products
- Git — versions >= 2.14.2, < 2.17.62.17.6, >= 2.18.0, < 2.18.5, >= 2.19.0, < 2.19.6
Weakness classification (CWE)
Public proof-of-concept exploits
References
- github.com/git/git/security/advisories/GHSA-8prw-h3cq-mghm
- lore.kernel.org/git/xmqqim6019yd.fsf@gitster.c.googlers.com/
- git-scm.com/docs/git-config
- git-scm.com/docs/gitattributes
- github.com/git/git/commit/684dd4c2b414bcf648505e74498a608f28de4592
- [oss-security] 20210309 git: malicious repositories can execute remote code while cloning (mailing-list)
- FEDORA-2021-63fcbd126e (vendor-advisory)
- FEDORA-2021-ffd0b2108d (vendor-advisory)
- FEDORA-2021-03e61a6647 (vendor-advisory)
- support.apple.com/kb/HT212320
Frequently asked questions
- What is CVE-2021-21300?
- CVE-2021-21300 is a high-severity vulnerability in Git, classified under Improper Link Resolution Before File Access. CVSS score: 8.0/10. Published 2021-03-09.
- How severe is CVE-2021-21300?
- High severity. CVSS v3 base score is 8.0 out of 10.
- Is CVE-2021-21300 known to be exploited?
- 60 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.