Arbitrary Code Execution Affecting github.com/git-lfs/git-lfs/lfs package, versions >=2.12.1 <3.1.3


0.0
high

Snyk CVSS

    Attack Complexity Low
    User Interaction Required
    Confidentiality High
    Integrity High
    Availability High

    Threat Intelligence

    EPSS 0.08% (31st percentile)
Expand this section
NVD
7.8 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-GOLANG-GITHUBCOMGITLFSGITLFSLFS-2769552
  • published 20 Apr 2022
  • disclosed 20 Apr 2022
  • credit Mikhail Shcherbakov

How to fix?

Upgrade github.com/git-lfs/git-lfs/lfs to version 3.1.3 or higher.

Overview

Affected versions of this package are vulnerable to Arbitrary Code Execution on the Windows OS. If Git LFS operates on a malicious repository with a ..exe file as well as a file named git.exe, and git.exe is not found in PATH, the ..exe program will be executed, permitting the attacker to execute arbitrary code.

References