CVE-2021-21300

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2021-21300
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21300.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-21300
Downstream
Related
Published
2021-03-09T20:15:13.260Z
Modified
2026-04-16T04:35:00.022931657Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Git is an open-source distributed revision control system. In affected versions of Git a specially crafted repository that contains symbolic links as well as files using a clean/smudge filter such as Git LFS, may cause just-checked out script to be executed while cloning onto a case-insensitive file system such as NTFS, HFS+ or APFS (i.e. the default file systems on Windows and macOS). Note that clean/smudge filters have to be configured for that. Git for Windows configures Git LFS by default, and is therefore vulnerable. The problem has been patched in the versions published on Tuesday, March 9th, 2021. As a workaound, if symbolic link support is disabled in Git (e.g. via git config --global core.symlinks false), the described attack won't work. Likewise, if no clean/smudge filters such as Git LFS are configured globally (i.e. before cloning), the attack is foiled. As always, it is best to avoid cloning repositories from untrusted sources. The earliest impacted version is 2.14.2. The fix versions are: 2.30.1, 2.29.3, 2.28.1, 2.27.1, 2.26.3, 2.25.5, 2.24.4, 2.23.4, 2.22.5, 2.21.4, 2.20.5, 2.19.6, 2.18.5, 2.17.62.17.6.

References

Affected packages

Git / github.com/git/git

Affected ranges

Type
GIT
Repo
https://github.com/git/git
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
4010f1d1b782eb7585e0e0abcefa794bd5ff29a0
Introduced
468165c1d8a442994a825f3684528361727cd8c0
Fixed
6b82d3eea625d83af067dc0ed57e361711cfb8b7
Introduced
53f9a3e157dbbc901a02ac2c73346d375e24978c
Fixed
6eed462c8f973719799691c4f51b97f7970f2ac4
Introduced
1d4361b0f344188ab5eec6dcea01f61a3a3a1670
Fixed
9fb2a1fb08330795955dcd5af74d2c64ba258d59
Introduced
5d826e972970a784bd7a7bdf587512510097b8c7
Fixed
8b1a5f33d3ed427b0a6eaee595537805db6bc38c
Introduced
8104ec994ea3849a968b4667d072fedd1e688642
Fixed
c735d7470e75a7a14e9ac2d9ff8876a30615047a
Introduced
b697d92f56511e804b8ba20ccbe7bdc85dc66810
Fixed
c753e2a7a8e81c646611e808ce3b7a68f6e90add
Introduced
5fa0f5238b0cd46cfe7f6fa76c3f526ea98148d9
Fixed
d60b6a96f087ea5ad530b71096a604c993fd9e71
Introduced
da72936f544fec5a335e66432610e4cef4430991
Fixed
06214d171b10e9474a0233dbc5187fd6b109ff2a
Introduced
d0654dc308b0ba76dd8ed7bbb33c8d8f7aacd783
Fixed
42ce4c7930ff494136256554cbed730857084c70
Introduced
274b9cc25322d9ee79aa8e6d4e86f0ffe5ced925
Fixed
a79fd20c7166f4040a82d257c893f52b0da6aeba
Introduced
69986e19ffcfb9af674ae5180689ab7bbf92ed28
Fixed
0628636d0c21324ae0f11be591611c6b1e55705f
Introduced
71ca53e8125e36efbda17293c50027d31681a41f
Fixed
94f6e3e283f2adfc518b39cfc39291f1c2832ad0
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
b3d7a52fac39193503a0b6728771d1bf6a161464
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
47ae905ffb98cc4d4fd90083da6bc8dab55d9ecc
Fixed
684dd4c2b414bcf648505e74498a608f28de4592
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.14.2"
        },
        {
            "introduced": "2.17.0"
        },
        {
            "fixed": "2.17.6"
        },
        {
            "introduced": "2.18.0"
        },
        {
            "fixed": "2.18.5"
        },
        {
            "introduced": "2.19.0"
        },
        {
            "fixed": "2.19.6"
        },
        {
            "introduced": "2.20.0"
        },
        {
            "fixed": "2.20.5"
        },
        {
            "introduced": "2.21.0"
        },
        {
            "fixed": "2.21.4"
        },
        {
            "introduced": "2.22.0"
        },
        {
            "fixed": "2.22.5"
        },
        {
            "introduced": "2.23.0"
        },
        {
            "fixed": "2.23.4"
        },
        {
            "introduced": "2.24.0"
        },
        {
            "fixed": "2.24.4"
        },
        {
            "introduced": "2.25.0"
        },
        {
            "fixed": "2.25.5"
        },
        {
            "introduced": "2.26.0"
        },
        {
            "fixed": "2.26.3"
        },
        {
            "introduced": "2.29.0"
        },
        {
            "fixed": "2.29.3"
        },
        {
            "introduced": "2.30.0"
        },
        {
            "fixed": "2.30.2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.27.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.28.0"
        }
    ]
}

Affected versions

v0.*
v0.99
v0.99.1
v0.99.2
v0.99.3
v0.99.4
v0.99.5
v0.99.6
v0.99.7
v0.99.8
v0.99.8a
v0.99.8b
v0.99.8c
v0.99.8d
v0.99.8e
v0.99.8f
v0.99.8g
v0.99.9a
v0.99.9b
v0.99.9c
v0.99.9d
v0.99.9e
v0.99.9f
v0.99.9g
v0.99.9h
v0.99.9i
v0.99.9j
v0.99.9k
v0.99.9l
v0.99.9m
v0.99.9n
v1.*
v1.0.0
v1.0rc1
v1.0rc2
v1.0rc3
v1.0rc4
v1.0rc5
v1.0rc6
v1.1.0
v1.2.0
v1.3.0-rc1
v1.4.1
v1.4.1-rc1
v1.4.1-rc2
v1.4.2
v1.4.2-rc1
v1.4.2-rc2
v1.4.2-rc3
v1.4.2-rc4
v1.4.3
v1.4.3-rc1
v1.4.3-rc2
v1.4.3-rc3
v1.4.4
v1.4.4-rc1
v1.4.4-rc2
v1.4.4.1
v1.5.0
v1.5.0-rc0
v1.5.0-rc1
v1.5.0-rc2
v1.5.0-rc3
v1.5.0-rc4
v1.5.1
v1.5.1-rc1
v1.5.1-rc2
v1.5.1-rc3
v1.5.2
v1.5.2-rc0
v1.5.2-rc1
v1.5.2-rc2
v1.5.2-rc3
v1.5.3
v1.5.3-rc0
v1.5.3-rc1
v1.5.3-rc2
v1.5.3-rc3
v1.5.3-rc4
v1.5.3-rc5
v1.5.3-rc6
v1.5.3-rc7
v1.5.3.1
v1.5.4
v1.5.4-rc0
v1.5.4-rc1
v1.5.4-rc2
v1.5.4-rc3
v1.5.4-rc4
v1.5.4-rc5
v1.5.5
v1.5.5-rc0
v1.5.5-rc1
v1.5.5-rc2
v1.5.5-rc3
v1.5.6
v1.5.6-rc0
v1.5.6-rc1
v1.5.6-rc2
v1.5.6-rc3
v1.6.0
v1.6.0-rc0
v1.6.0-rc1
v1.6.0-rc2
v1.6.0-rc3
v1.6.1
v1.6.1-rc1
v1.6.1-rc2
v1.6.1-rc3
v1.6.1-rc4
v1.6.2
v1.6.2-rc0
v1.6.2-rc1
v1.6.2-rc2
v1.6.3
v1.6.3-rc0
v1.6.3-rc1
v1.6.3-rc2
v1.6.3-rc3
v1.6.3-rc4
v1.6.4
v1.6.4-rc0
v1.6.4-rc1
v1.6.4-rc2
v1.6.4-rc3
v1.6.5
v1.6.5-rc0
v1.6.5-rc1
v1.6.5-rc2
v1.6.5-rc3
v1.6.6
v1.6.6-rc0
v1.6.6-rc1
v1.6.6-rc2
v1.6.6-rc3
v1.6.6-rc4
v1.7.0
v1.7.0-rc0
v1.7.0-rc1
v1.7.0-rc2
v1.7.1
v1.7.1-rc0
v1.7.1-rc1
v1.7.1-rc2
v1.7.10
v1.7.10-rc0
v1.7.10-rc1
v1.7.10-rc2
v1.7.10-rc3
v1.7.10-rc4
v1.7.11
v1.7.11-rc0
v1.7.11-rc1
v1.7.11-rc2
v1.7.11-rc3
v1.7.12
v1.7.12-rc0
v1.7.12-rc1
v1.7.12-rc2
v1.7.12-rc3
v1.7.2
v1.7.2-rc0
v1.7.2-rc1
v1.7.2-rc2
v1.7.2-rc3
v1.7.3
v1.7.3-rc0
v1.7.3-rc1
v1.7.3-rc2
v1.7.3.1
v1.7.4
v1.7.4-rc0
v1.7.4-rc1
v1.7.4-rc2
v1.7.4-rc3
v1.7.5
v1.7.5-rc0
v1.7.5-rc1
v1.7.5-rc2
v1.7.5-rc3
v1.7.6
v1.7.6-rc0
v1.7.6-rc1
v1.7.6-rc2
v1.7.6-rc3
v1.7.7
v1.7.7-rc0
v1.7.7-rc1
v1.7.7-rc2
v1.7.7-rc3
v1.7.8
v1.7.8-rc0
v1.7.8-rc1
v1.7.8-rc2
v1.7.8-rc3
v1.7.8-rc4
v1.7.9
v1.7.9-rc0
v1.7.9-rc1
v1.7.9-rc2
v1.8.0
v1.8.0-rc0
v1.8.0-rc1
v1.8.0-rc2
v1.8.0-rc3
v1.8.1
v1.8.1-rc0
v1.8.1-rc1
v1.8.1-rc2
v1.8.1-rc3
v1.8.2
v1.8.2-rc0
v1.8.2-rc1
v1.8.2-rc2
v1.8.2-rc3
v1.8.3
v1.8.3-rc0
v1.8.3-rc1
v1.8.3-rc2
v1.8.3-rc3
v1.8.4
v1.8.4-rc0
v1.8.4-rc1
v1.8.4-rc2
v1.8.4-rc3
v1.8.4-rc4
v1.8.5
v1.8.5-rc0
v1.8.5-rc1
v1.8.5-rc2
v1.8.5-rc3
v1.9-rc0
v1.9-rc1
v1.9-rc2
v1.9.0
v1.9.0-rc3
v2.*
v2.0.0
v2.0.0-rc0
v2.0.0-rc1
v2.0.0-rc2
v2.0.0-rc3
v2.0.0-rc4
v2.1.0
v2.1.0-rc0
v2.1.0-rc1
v2.1.0-rc2
v2.10.0
v2.10.0-rc0
v2.10.0-rc1
v2.10.0-rc2
v2.11.0
v2.11.0-rc0
v2.11.0-rc1
v2.11.0-rc2
v2.11.0-rc3
v2.12.0
v2.12.0-rc0
v2.12.0-rc1
v2.12.0-rc2
v2.13.0
v2.13.0-rc0
v2.13.0-rc1
v2.13.0-rc2
v2.14.0
v2.14.0-rc0
v2.14.0-rc1
v2.14.1
v2.14.2
v2.17.0
v2.17.1
v2.17.2
v2.17.3
v2.17.4
v2.17.5
v2.18.0
v2.18.1
v2.18.2
v2.18.3
v2.18.4
v2.19.0
v2.19.1
v2.19.2
v2.19.3
v2.19.4
v2.19.5
v2.2.0
v2.2.0-rc0
v2.2.0-rc1
v2.2.0-rc2
v2.2.0-rc3
v2.20.0
v2.20.1
v2.20.2
v2.20.3
v2.20.4
v2.21.0
v2.21.1
v2.21.2
v2.21.3
v2.22.0
v2.22.1
v2.22.2
v2.22.3
v2.22.4
v2.23.0
v2.23.1
v2.23.2
v2.23.3
v2.24.0
v2.24.1
v2.24.2
v2.24.3
v2.25.0
v2.25.1
v2.25.2
v2.25.3
v2.25.4
v2.26.0
v2.26.1
v2.26.2
v2.27.0
v2.27.0-rc0
v2.27.0-rc1
v2.27.0-rc2
v2.28.0
v2.28.0-rc0
v2.28.0-rc1
v2.28.0-rc2
v2.29.0
v2.29.1
v2.29.2
v2.3.0
v2.3.0-rc0
v2.3.0-rc1
v2.3.0-rc2
v2.30.0
v2.30.1
v2.4.0
v2.4.0-rc0
v2.4.0-rc1
v2.4.0-rc2
v2.4.0-rc3
v2.5.0
v2.5.0-rc0
v2.5.0-rc1
v2.5.0-rc2
v2.5.0-rc3
v2.6.0
v2.6.0-rc0
v2.6.0-rc1
v2.6.0-rc2
v2.6.0-rc3
v2.7.0
v2.7.0-rc0
v2.7.0-rc1
v2.7.0-rc2
v2.7.0-rc3
v2.8.0
v2.8.0-rc0
v2.8.0-rc1
v2.8.0-rc2
v2.8.0-rc3
v2.8.0-rc4
v2.9.0
v2.9.0-rc0
v2.9.0-rc1
v2.9.0-rc2

Database specific

vanir_signatures_modified 
"2026-04-11T23:33:55Z"
vanir_signatures 
[
    {
        "id": "CVE-2021-21300-15a4833d",
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "276677503004035957720297652347060290279",
                "194300041489366364803722943678753375976",
                "326368134096761905215852270671667464242",
                "255339043160293375611455199595722318847"
            ],
            "threshold": 0.9
        },
        "source": "https://github.com/git/git/commit/684dd4c2b414bcf648505e74498a608f28de4592",
        "deprecated": false,
        "target": {
            "file": "cache.h"
        },
        "signature_type": "Line"
    },
    {
        "id": "CVE-2021-21300-39a1bc57",
        "signature_version": "v1",
        "digest": {
            "function_hash": "249291322838791192183549209301243117633",
            "length": 606.0
        },
        "source": "https://github.com/git/git/commit/684dd4c2b414bcf648505e74498a608f28de4592",
        "deprecated": false,
        "target": {
            "function": "mingw_rmdir",
            "file": "compat/mingw.c"
        },
        "signature_type": "Function"
    },
    {
        "id": "CVE-2021-21300-54a4a911",
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "52405788541650449857671201861593003433",
                "118767286671706823813543168271443044398",
                "294277434565854147747340188632148379712",
                "6269988942282923549050380572644560961"
            ],
            "threshold": 0.9
        },
        "source": "https://github.com/git/git/commit/684dd4c2b414bcf648505e74498a608f28de4592",
        "signature_type": "Line",
        "target": {
            "file": "compat/mingw.c"
        },
        "deprecated": false
    },
    {
        "id": "CVE-2021-21300-ee846581",
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/git/git/commit/684dd4c2b414bcf648505e74498a608f28de4592",
        "deprecated": false,
        "target": {
            "file": "git-compat-util.h"
        },
        "digest": {
            "line_hashes": [
                "98106067658817072442339340836510065327",
                "266101509246156468219369285670669909114",
                "67565927279547095135265739457466178456"
            ],
            "threshold": 0.9
        }
    }
]
source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21300.json"
unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "32"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "33"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "34"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "12.5"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "10.0"
            }
        ]
    }
]