CVE-2021-21237

HIGH Year: 2021
CVSS v3 Score
7.8
High
CVSS v2 Score
4.6
Medium
Weakness Type
CWE-426
View all →

Vulnerability Description

Git LFS is a command line extension for managing large files with Git. On Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems. This is the result of an incomplete fix for CVE-2020-27955. This issue occurs because on Windows, Go includes (and prefers) the current directory when the name of a command run does not contain a directory separator. Other than avoiding untrusted repositories or using a different operating system, there is no workaround. This is fixed in v2.13.2.

Related Vulnerabilities

CVE-2013-2773

HIGH
CVSS:7.8(High)

Nitro PDF 8.5.0.26: A specially crafted DLL file can facilitate Arbitrary Code Execution

CWE-4262013

CVE-2013-3494

HIGH
CVSS:7.8(High)

A Code Execution Vulnerability exists in UMPlayer 0.98 in wintab32.dll due to insufficient path restrictions when loading external libraries. which could let a malicious user execute arbitrary code.

CWE-4262013

CVE-2013-3942

HIGH
CVSS:7.8(High)

Potplayer prior to 1.5.39659: DLL Loading Arbitrary Code Execution Vulnerability

CWE-4262013

CVE-2014-3860

HIGH
CVSS:7.8(High)

Xilisoft Video Converter Ultimate 7.8.1 build-20140505 has a DLL Hijacking vulnerability

CWE-4262014

CVE-2014-8358

HIGH
CVSS:7.8(High)

Huawei EC156, EC176, and EC177 USB Modem products with software before UTPS-V200R003B015D02SP07C1014 (23.015.02.07.1014) and before V200R003B015D02SP08C1014 (23.015.02.08.1014) use a weak ACL for the ...

CWE-4262014

CVE-2015-0974

HIGH
CVSS:7.8(High)

Untrusted search path vulnerability in ZTE Datacard MF19 0V1.0.0B04 allows local users to gain privilege by modifying the 'Ucell Internet' directory to reference a malicious mms_dll_r.dll or mediaplay...

CWE-4262015