Corrective releases of distributed source control system Git 2.30.2, 2.17.6, 2.18.5, 2.19.6, 2.20.5, 2.21.4, 2.22.5, 2.23.4, 2.24.4, 2.25.5, 2.26.3 have been published .2.27.1, 2.28.1, 2.29.3, and 2021, which fixed a vulnerability (CVE-21300-2.15) that could allow remote code execution when an attacker's repository was cloned using the "git clone" command. Vulnerabilities affect all releases of Git, starting with version XNUMX.
The issue manifests itself when using delayed checkout operations, which are used in some purge filters, such as those configured in Git LFS. Exploitation of the vulnerability is only possible on case-insensitive file systems that support symbolic links, such as NTFS, HFS+, and APFS (i.e., on platforms Windows и macOS).
As a security workaround, you can disable git's handling of symbolic links by running "git config --global core.symlinks false", or disable support for filter processes by running "git config --show-scope --get-regexp 'filter\.. *\.process'". It is also recommended to avoid cloning unverified repositories.
Source: opennet.ru
