Corrective releases of distributed source control system Git 2.30.2, 2.17.6, 2.18.5, 2.19.6, 2.20.5, 2.21.4, 2.22.5, 2.23.4, 2.24.4, 2.25.5, 2.26.3 have been published .2.27.1, 2.28.1, 2.29.3, and 2021, which fixed a vulnerability (CVE-21300-2.15) that could allow remote code execution when an attacker's repository was cloned using the "git clone" command. Vulnerabilities affect all releases of Git, starting with version XNUMX.
The problem comes into play when using delayed checkouts, which are used in some cleanup filters, such as those configured in Git LFS. The exploitation of the vulnerability is possible only in file systems that do not distinguish case, but support symbolic links, such as NTFS, HFS+ and APFS (i.e. on Windows and macOS platforms).
As a security workaround, you can disable git's handling of symbolic links by running "git config --global core.symlinks false", or disable support for filter processes by running "git config --show-scope --get-regexp 'filter\.. *\.process'". It is also recommended to avoid cloning unverified repositories.
Source: opennet.ru