reports/GO-2021-0098.yaml

module: github.com/git-lfs/git-lfs
package: github.com/git-lfs/git-lfs/commands
additional_packages:
  - module: github.com/git-lfs/git-lfs
    package: github.com/git-lfs/git-lfs/creds
    symbols:
      - AskPassCredentialHelper.getFromProgram
      - commandCredentialHelper.Approve
    versions:
      - fixed: v1.5.1-0.20210113180018-fc664697ed2c
  - module: github.com/git-lfs/git-lfs
    package: github.com/git-lfs/git-lfs/lfs
    symbols:
      - pipeExtensions
    versions:
      - fixed: v1.5.1-0.20210113180018-fc664697ed2c
  - module: github.com/git-lfs/git-lfs
    package: github.com/git-lfs/git-lfs/lfshttp
    symbols:
      - sshAuthClient.Resolve
    versions:
      - fixed: v1.5.1-0.20210113180018-fc664697ed2c
versions:
  - fixed: v1.5.1-0.20210113180018-fc664697ed2c
description: |
  Due to the standard library behavior of exec.LookPath on Windows a number of methods may
  result in arbitary code execution when cloning or operating on untrusted Git repositories.
published: 2021-04-14T12:00:00Z
cve: CVE-2021-21237
credit: "@Ry0taK"
symbols:
  - PipeCommand
os:
  - windows
links:
  commit: https://github.com/git-lfs/git-lfs/commit/fc664697ed2c2081ee9633010de0a7f9debea72a
  context:
    - https://github.com/git-lfs/git-lfs/security/advisories/GHSA-cx3w-xqmc-84g5