| modules: |
| - module: github.com/git-lfs/git-lfs |
| versions: |
| - fixed: 1.5.1-0.20210113180018-fc664697ed2c |
| packages: |
| - package: github.com/git-lfs/git-lfs/commands |
| goos: |
| - windows |
| symbols: |
| - PipeCommand |
| skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]' |
| - package: github.com/git-lfs/git-lfs/creds |
| goos: |
| - windows |
| symbols: |
| - AskPassCredentialHelper.getFromProgram |
| - commandCredentialHelper.Approve |
| skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]' |
| - package: github.com/git-lfs/git-lfs/lfs |
| goos: |
| - windows |
| symbols: |
| - pipeExtensions |
| skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]' |
| - package: github.com/git-lfs/git-lfs/lfshttp |
| goos: |
| - windows |
| symbols: |
| - sshAuthClient.Resolve |
| skip_fix: 'TODO: fill this out [or set vulnerable_at to derive symbols]' |
| description: | |
| Due to the standard library behavior of exec.LookPath on Windows a number of methods may |
| result in arbitrary code execution when cloning or operating on untrusted Git repositories. |
| published: 2021-04-14T20:04:52Z |
| cves: |
| - CVE-2021-21237 |
| ghsas: |
| - GHSA-cx3w-xqmc-84g5 |
| credit: '@Ry0taK' |
| references: |
| - fix: https://github.com/git-lfs/git-lfs/commit/fc664697ed2c2081ee9633010de0a7f9debea72a |
