Updating releases of Git 2.30.2, 2.17.6, 2.18.5, 2.19 have been published .6, 2.20.5, 2.21.4, 2.22.5, 2.23.4, 2.24.4, 2.25.5, 2.26.3, 2.27.1, 2.28.1 and 2.29.3, in which vulnerability (CVE-2021-21300) allowing remote code execution when cloning an attacker’s repository using git clone commands. All Git releases since version 2.15 are affected.
The problem manifests itself when using pending checkout operations, which are used in some cleanup filters, for example, configured in Git LFS . The vulnerability can only be exploited on case-insensitive file systems that support symbolic links, such as NTFS, HFS +, and APFS (i.e., on Windows and macOS platforms).
As a workaround, you can turn off symbolic link handling in git by running “git config –global core.symlinks false”, or turn off support for filter processes using the command “git config –show-scope –get- regexp ‘filter .. * . process’ “. It is also recommended to avoid cloning unverified repositories.