Uploaded image for project: 'Bamboo Data Center'
  1. Bamboo Data Center
  2. BAM-21267

Bamboo for Windows uses a version of Git LFS vulnerable to remote code execution (CVE-2021-21237)

XMLWordPrintable

    • 9.1
    • Critical
    • CVE-2021-21237

      Git LFS is vulnerable to remote code execution on Windows (CVE-2021-21237):

      On Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems.

      This is the result of an incomplete fix for CVE-2020-27955.

      This issue occurs because on Windows, Go includes (and prefers) the current directory when the name of a command run does not contain a directory separator.

      Fix contains only changes to Windows AMIs used by Bamboo Elastic agents

            [BAM-21267] Bamboo for Windows uses a version of Git LFS vulnerable to remote code execution (CVE-2021-21237)

            Eric Franklin (Inactive) made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 847717 ]
            Eric Franklin (Inactive) made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 846038 ]
            Jacek Krawczyk (Inactive) made changes -
            Remote Link Original: This issue links to "Page (Atlassian Documentation)" [ 717124 ]
            Jacek Krawczyk (Inactive) made changes -
            Remote Link New: This issue links to "Page (Atlassian Documentation)" [ 717124 ]
            Jacek Krawczyk (Inactive) made changes -
            Remote Link Original: This issue links to "Page (Atlassian Documentation)" [ 715530 ]
            Jacek Krawczyk (Inactive) made changes -
            Remote Link New: This issue links to "Page (Atlassian Documentation)" [ 715530 ]
            Security Metrics Bot made changes -
            CVE ID New: CVE-2021-21237
            David Black made changes -
            Remote Link New: This issue links to "Page (Atlassian Documentation)" [ 565200 ]
            David Black made changes -
            Labels Original: advisory advisory-to-release dont-import security New: advisory advisory-released dont-import security
            Alexey Chystoprudov made changes -
            Description Original: Git LFS is vulnerable to remote code execution on Windows (CVE-2021-21237):

            On Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems.

            This is the result of an incomplete fix for CVE-2020-27955.

            This issue occurs because on Windows, Go includes (and prefers) the current directory when the name of a command run does not contain a directory separator.

            Fix includes changes to Windows AMIs used by Bamboo Elastic agents             		New: Git LFS is vulnerable to remote code execution on Windows (CVE-2021-21237):

            On Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems.

            This is the result of an incomplete fix for CVE-2020-27955.

            This issue occurs because on Windows, Go includes (and prefers) the current directory when the name of a command run does not contain a directory separator.

            Fix contains only changes to Windows AMIs used by Bamboo Elastic agents

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Created:
                Updated:
                Resolved: