CVE-2021-21300
📋 TL;DR
This vulnerability allows remote code execution when cloning malicious Git repositories on case-insensitive file systems (Windows/macOS default). Attackers can craft repositories with symbolic links and Git LFS filters to execute arbitrary code during checkout. Users of Git on Windows/macOS with Git LFS configured are primarily affected.
💻 Affected Systems
- Git
- Git for Windows
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Git by Git Scm
Git by Git Scm
Git by Git Scm
Git by Git Scm
Git by Git Scm
Git by Git Scm
Git by Git Scm
Git by Git Scm
Git by Git Scm
Git by Git Scm
Git by Git Scm
Git by Git Scm
Git by Git Scm
Git by Git Scm
Git by Git Scm
Xcode by Apple
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via arbitrary code execution with user privileges, potentially leading to data theft, ransomware deployment, or lateral movement.
Likely Case
Malicious repository clones execute payloads that steal credentials, install malware, or establish persistence on developer machines.
If Mitigated
No impact if proper controls like patching, disabling symbolic links, or avoiding untrusted repositories are implemented.
🎯 Exploit Status
Exploit requires victim to clone malicious repository. Public proof-of-concept demonstrates command execution. No authentication needed beyond repository access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.30.1, 2.29.3, 2.28.1, 2.27.1, 2.26.3, 2.25.5, 2.24.4, 2.23.4, 2.22.5, 2.21.4, 2.20.5, 2.19.6, 2.18.5, 2.17.6
Vendor Advisory: https://git-scm.com/docs/git-config#Documentation/git-config.txt-coresymlinks
Restart Required: No
Instructions:
1. Update Git to patched version using package manager or official installer. 2. For Windows: Download latest Git for Windows from https://git-scm.com/. 3. For macOS: Use Homebrew 'brew upgrade git' or download from official site. 4. Verify version with 'git --version'.
🔧 Temporary Workarounds
Disable symbolic links globally
allPrevents symbolic link processing during clone operations
git config --global core.symlinks false
Remove Git LFS filters
allUnconfigure clean/smudge filters before cloning repositories
git config --global --unset filter.lfs.clean
git config --global --unset filter.lfs.smudge
🧯 If You Can't Patch
- Only clone repositories from trusted sources and verify repository integrity
- Use case-sensitive file systems or virtual machines with Linux for Git operations
🔍 How to Verify
Check if Vulnerable:
Check Git version and if on Windows/macOS with Git LFS configured: 'git --version' and 'git config --global --list | grep filter'Check Version:
git --versionVerify Fix Applied:
Confirm Git version is patched: 'git --version' should show 2.30.1 or later patched version📡 Detection & Monitoring
Log Indicators:
- Unusual Git clone operations from unknown sources
- Process execution from Git checkout directories
Network Indicators:
- Git clone traffic to suspicious repositories
- Unexpected outbound connections after Git operations
SIEM Query:
Process creation where parent process is git.exe or git and command line contains clone or checkout🔗 References
- http://packetstormsecurity.com/files/163978/Git-LFS-Clone-Command-Execution.html
- http://seclists.org/fulldisclosure/2021/Apr/60
- http://www.openwall.com/lists/oss-security/2021/03/09/3
- https://git-scm.com/docs/git-config#Documentation/git-config.txt-coresymlinks
- https://git-scm.com/docs/gitattributes#_filter
- https://github.com/git/git/commit/684dd4c2b414bcf648505e74498a608f28de4592
- https://github.com/git/git/security/advisories/GHSA-8prw-h3cq-mghm
- https://lists.debian.org/debian-lts-announce/2022/10/msg00014.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BBPNGLQSYJHLZZ37BO42YY6S5OTIF4L4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LCLJJLKKMS5WRFO6C475AOUZTWQLIARX/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LMXX2POK5X576BSDWSXGU7EIK6I72ERU/
- https://lore.kernel.org/git/xmqqim6019yd.fsf%40gitster.c.googlers.com/
- https://security.gentoo.org/glsa/202104-01
- https://support.apple.com/kb/HT212320
- http://packetstormsecurity.com/files/163978/Git-LFS-Clone-Command-Execution.html
- http://seclists.org/fulldisclosure/2021/Apr/60
- http://www.openwall.com/lists/oss-security/2021/03/09/3
- https://git-scm.com/docs/git-config#Documentation/git-config.txt-coresymlinks
- https://git-scm.com/docs/gitattributes#_filter
- https://github.com/git/git/commit/684dd4c2b414bcf648505e74498a608f28de4592
- https://github.com/git/git/security/advisories/GHSA-8prw-h3cq-mghm
- https://lists.debian.org/debian-lts-announce/2022/10/msg00014.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BBPNGLQSYJHLZZ37BO42YY6S5OTIF4L4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LCLJJLKKMS5WRFO6C475AOUZTWQLIARX/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LMXX2POK5X576BSDWSXGU7EIK6I72ERU/
- https://lore.kernel.org/git/xmqqim6019yd.fsf%40gitster.c.googlers.com/
- https://security.gentoo.org/glsa/202104-01
- https://support.apple.com/kb/HT212320
