Security updates for Git versions 2.30.2, 2.17.6, 2.18.5, 2.19.6, 2.20.5, 2.21.4, 2.22.5, 2.23.4, 2.24.4, 2.25.5, 2.26.3, 2.27.1, 2.28.1, and 2.29.3 have been released, fixing a vulnerability (CVE-2021-21300) that allows for remote code execution when cloning a malicious repository using the "git clone" command. All Git releases starting from version 2.15 are affected by this vulnerability.
The issue occurs when using deferred checkout operations, which are utilized in certain cleanup filters, such as those configured in Git LFS. Exploitation of the vulnerability is only possible in case-sensitive file systems that support symbolic links, such as NTFS, HFS+, and APFS (i.e., on Windows and macOS platforms).
As a workaround for protection, you can disable symbolic link processing in git by executing "git config --global core.symlinks false" or disable filter process support with the command "git config --show-scope --get-regexp 'filter\..*\.process'". It is also advisable to avoid cloning unverified repositories.
Source: opennet.ru
