blob: 234e555ae4a16f4db20109fca0a22193bd96441d [file] [log] [blame]
{
"schema_version": "1.3.1",
"id": "GO-2021-0098",
"modified": "0001-01-01T00:00:00Z",
"published": "2021-04-14T20:04:52Z",
"aliases": [
"CVE-2021-21237",
"GHSA-cx3w-xqmc-84g5"
],
"summary": "Arbitrary code execution on Windows in github.com/git-lfs/git-lfs",
"details": "Due to the standard library behavior of exec.LookPath on Windows a number of methods may result in arbitrary code execution when cloning or operating on untrusted Git repositories.",
"affected": [
{
"package": {
"name": "github.com/git-lfs/git-lfs",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.1-0.20210113180018-fc664697ed2c"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/git-lfs/git-lfs/commands",
"goos": [
"windows"
],
"symbols": [
"PipeCommand",
"PipeMediaCommand",
"Run",
"lockVerifier.Verify",
"singleCheckout.Run",
"singleCheckout.RunToPath",
"uploadContext.NewQueue",
"uploadContext.UploadPointers"
]
},
{
"path": "github.com/git-lfs/git-lfs/creds",
"goos": [
"windows"
],
"symbols": [
"AskPassCredentialHelper.Fill",
"AskPassCredentialHelper.getFromProgram",
"CredentialHelperWrapper.FillCreds",
"CredentialHelpers.Approve",
"CredentialHelpers.Fill",
"commandCredentialHelper.Approve"
]
},
{
"path": "github.com/git-lfs/git-lfs/lfs",
"goos": [
"windows"
],
"symbols": [
"GitFilter.Clean",
"GitFilter.Smudge",
"GitFilter.SmudgeToFile",
"pipeExtensions"
]
},
{
"path": "github.com/git-lfs/git-lfs/lfshttp",
"goos": [
"windows"
],
"symbols": [
"Client.Do",
"Client.DoWithAccess",
"Client.HttpClient",
"Client.NewRequest",
"Client.Transport",
"sshAuthClient.Resolve",
"sshCache.Resolve"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/git-lfs/git-lfs/commit/fc664697ed2c2081ee9633010de0a7f9debea72a"
}
],
"credits": [
{
"name": "@Ry0taK"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0098"
}
}