Arbitrary Code Execution Affecting github.com/git-lfs/git-lfs/git package, versions >=2.12.1 <3.1.3


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.08% (36th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary Code Execution vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-GOLANG-GITHUBCOMGITLFSGITLFSGIT-2769554
  • published20 Apr 2022
  • disclosed20 Apr 2022
  • creditMikhail Shcherbakov

Introduced: 20 Apr 2022

CVE-2022-24826  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

Upgrade github.com/git-lfs/git-lfs/git to version 3.1.3 or higher.

Overview

github.com/git-lfs/git-lfs/git is a contains various commands that shell out to git.

Affected versions of this package are vulnerable to Arbitrary Code Execution on the Windows OS. If Git LFS operates on a malicious repository with a ..exe file as well as a file named git.exe, and git.exe is not found in PATH, the ..exe program will be executed, permitting the attacker to execute arbitrary code.

References

CVSS Scores

version 3.1