CVE-2021-21300— malicious repositories can execute remote code while cloning
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2021-21300
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
malicious repositories can execute remote code while cloning
Source: NVD (National Vulnerability Database)
Vulnerability Description
Git is an open-source distributed revision control system. In affected versions of Git a specially crafted repository that contains symbolic links as well as files using a clean/smudge filter such as Git LFS, may cause just-checked out script to be executed while cloning onto a case-insensitive file system such as NTFS, HFS+ or APFS (i.e. the default file systems on Windows and macOS). Note that clean/smudge filters have to be configured for that. Git for Windows configures Git LFS by default, and is therefore vulnerable. The problem has been patched in the versions published on Tuesday, March 9th, 2021. As a workaound, if symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. Likewise, if no clean/smudge filters such as Git LFS are configured globally (i.e. _before_ cloning), the attack is foiled. As always, it is best to avoid cloning repositories from untrusted sources. The earliest impacted version is 2.14.2. The fix versions are: 2.30.1, 2.29.3, 2.28.1, 2.27.1, 2.26.3, 2.25.5, 2.24.4, 2.23.4, 2.22.5, 2.21.4, 2.20.5, 2.19.6, 2.18.5, 2.17.62.17.6.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在文件访问前对链接解析不恰当(链接跟随)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Git 后置链接漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Git是一套免费、开源的分布式版本控制系统。 Git 存在后置链接漏洞,该漏洞允许攻击者利用特别制作的存储库导致just-checked脚本执行而克隆到一个不区分大小写的文件系统。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2021-21300
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | None | https://github.com/AlkenePan/CVE-2021-21300 | POC Details |
| 2 | None | https://github.com/Faisal78123/CVE-2021-21300 | POC Details |
| 3 | None | https://github.com/erranfenech/CVE-2021-21300 | POC Details |
| 4 | None | https://github.com/Maskhe/CVE-2021-21300 | POC Details |
| 5 | remote code exec for git | https://github.com/1uanWu/CVE-2021-21300 | POC Details |
| 6 | None | https://github.com/Kirill89/CVE-2021-21300 | POC Details |
| 7 | None | https://github.com/ETOCheney/cve-2021-21300 | POC Details |
| 8 | None | https://github.com/fengzhouc/CVE-2021-21300 | POC Details |
| 9 | None | https://github.com/danshuizhangyu/CVE-2021-21300 | POC Details |
| 10 | None | https://github.com/0ahu/CVE-2021-21300 | POC Details |
| 11 | None | https://github.com/Jiang59991/cve-2021-21300 | POC Details |
| 12 | None | https://github.com/Jiang59991/cve-2021-21300-plus | POC Details |
| 13 | None | https://github.com/macilin/CVE-2021-21300 | POC Details |
| 14 | the payload of CVE-2021-21300 | https://github.com/Roboterh/CVE-2021-21300 | POC Details |
| 15 | CVE-2021-21300 | https://github.com/henry861010/Network_Security_NYCU | POC Details |
| 16 | None | https://github.com/Saboor-Hakimi-23/CVE-2021-21300 | POC Details |
| 17 | None | https://github.com/Threekiii/Awesome-POC/blob/master/%E5%85%B6%E4%BB%96%E6%BC%8F%E6%B4%9E/Git%20for%20Visual%20Studio%E8%BF%9C%E7%A8%8B%E6%89%A7%E8%A1%8C%E4%BB%A3%E7%A0%81%E6%BC%8F%E6%B4%9E%20CVE-2021-21300.md | POC Details |
| 18 | None | https://github.com/Sizvy/CVE-2021-21300 | POC Details |
| 19 | CVE-2021-21300 test | https://github.com/the-chivalrousZ/cve-2021-21300 | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2021-21300
请登录查看更多情报信息。
- https://security.gentoo.org/glsa/202104-01vendor-advisory
- http://seclists.org/fulldisclosure/2021/Apr/60mailing-list
- https://nvd.nist.gov/vuln/detail/CVE-2021-21300
IV. Related Vulnerabilities
Same product: git
- CVE-2026-32631
Git for Windows: `git clone` from manipulated repositories c - CVE-2025-66413
Git for Windows leaks NTLM hash when cloning from an attacke - CVE-2025-48384
Git allows arbitrary code execution through broken config qu - CVE-2025-48385
Git alllows arbitrary file writes via bundle-uri parameter i - CVE-2025-48386
Git allows a buffer overflow in 'wincred' credential helper
Same vendor: git
- CVE-2025-48384
Git allows arbitrary code execution through broken config qu - CVE-2025-48385
Git alllows arbitrary file writes via bundle-uri parameter i - CVE-2025-48386
Git allows a buffer overflow in 'wincred' credential helper - CVE-2024-52005
The sideband payload is passed unfiltered to the terminal in - CVE-2024-50349
Git does not sanitize URLs when asking for credentials inter
Same weakness: CWE-59
- CVE-2021-47949
CyberPanel 2.1 Authenticated Remote Code Execution via Symli - CVE-2026-41882
JetBrains IntelliJ IDEA 后置链接漏洞 - CVE-2026-27105
Dell Alienware Purchased Apps 后置链接漏洞 - CVE-2026-5161
Improper Authentication in TUBITAK BILGEM's Pardus About - CVE-2026-41397
OpenClaw < 2026.3.31 - Sandbox Escape via Unrestricted File
V. Comments for CVE-2021-21300
No comments yet