Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
atlassianSecurity-metrics-botBAM-21267
HistoryMar 10, 2021 - 11:05 a.m.

Bamboo for Windows uses a version of Git LFS vulnerable to remote code execution (CVE-2021-21237)

2021-03-1011:05:09
security-metrics-bot
jira.atlassian.com
18
bamboo
windows
git lfs
remote code execution
cve-2021-21237
incomplete fix
malicious repository
windows amis

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.954

Percentile

99.4%

JSON

Git LFS is vulnerable to remote code execution on Windows (CVE-2021-21237):

On Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems.

This is the result of an incomplete fix for CVE-2020-27955.

This issue occurs because on Windows, Go includes (and prefers) the current directory when the name of a command run does not contain a directory separator.

Fix contains only changes to Windows AMIs used by Bamboo Elastic agents

Affected configurations

Vulners
Node
atlassianbamboo_data_centerRange7.2.2
OR
atlassianbamboo_data_centerRange<7.2.3
VendorProductVersionCPE
atlassianbamboo_data_center*cpe:2.3:a:atlassian:bamboo_data_center:*:*:*:*:*:*:*:*

Related

atlassian 7
osv 7
ubuntucve 2
cvelist 2
nvd 2
github 2
debiancve 2
prion 2
cve 2
githubexploit 10
veracode 2
zdt 2
packetstorm 2
metasploit 1
alpinelinux 1
checkpoint_advisories 1
nessus 1
rapid7blog 1
photon 1
atlassian
atlassian
RCE via git-lfs in Sourcetree for Windows - CVE-2021-21237
2021-02-26 17:00:21
RCE via git-lfs in Sourcetree for Windows - CVE-2020-27955
2021-01-07 17:07:10
RCE via git-lfs in Sourcetree for Windows - CVE-2021-21237
2021-02-26 17:00:21
osv
osv
BIT-git-lfs-2021-21237
2024-03-06 10:52:17
Git LFS can execute a Git binary from the current directory on Windows
2022-02-15 00:30:37
CVE-2021-21237
2021-01-15 18:15:15
ubuntucve
ubuntucve
CVE-2021-21237
2021-01-15 00:00:00
CVE-2020-27955
2020-11-05 00:00:00
cvelist
cvelist
CVE-2021-21237 Git LFS can execute a Git binary from the current directory on Windows
2021-01-15 17:36:09
CVE-2020-27955
2020-11-05 14:57:36
nvd
nvd
CVE-2021-21237
2021-01-15 18:15:15
CVE-2020-27955
2020-11-05 15:15:36
github
github
Git LFS can execute a Git binary from the current directory on Windows
2022-02-15 00:30:37
Git LFS can execute a Git binary from the current directory
2022-02-11 23:39:18
debiancve
debiancve
CVE-2021-21237
2021-01-15 18:15:15
CVE-2020-27955
2020-11-05 15:15:36
prion
prion
Directory traversal
2021-01-15 18:15:00
Remote code execution
2020-11-05 15:15:00
cve
cve
CVE-2021-21237
2021-01-15 18:15:15
CVE-2020-27955
2020-11-05 15:15:36
githubexploit
githubexploit
Exploit for Uncontrolled Search Path Element in Git Large File Storage Project Git Large File Storage
2021-08-02 12:32:08
Exploit for Uncontrolled Search Path Element in Git Large File Storage Project Git Large File Storage
2021-04-30 14:25:42
Exploit for Uncontrolled Search Path Element in Git Large File Storage Project Git Large File Storage
2021-05-25 15:26:35
veracode
veracode
Arbitrary Code Execution
2024-02-06 08:32:19
Remote Code Execution (RCE)
2022-02-14 09:57:20
zdt
zdt
Git git-lfs Remote Code Execution Exploit
2021-09-17 00:00:00
git-lfs Remote Code Execution Exploit
2020-11-08 00:00:00
packetstorm
packetstorm
git-lfs Remote Code Execution
2020-11-06 00:00:00
Git git-lfs Remote Code Execution
2021-09-16 00:00:00
metasploit
metasploit
Git Remote Code Execution via git-lfs (CVE-2020-27955)
2021-09-03 21:15:38
alpinelinux
alpinelinux
CVE-2020-27955
2020-11-05 15:15:36
checkpoint_advisories
checkpoint_advisories
Git LFS Remote Code Execution (CVE-2020-27955)
2020-11-28 00:00:00
nessus
nessus
Photon OS 4.0: Git PHSA-2023-4.0-0426
2024-07-24 00:00:00
rapid7blog
rapid7blog
Metasploit Wrap-Up
2021-09-17 19:59:18
photon
photon
Critical Photon OS Security Update - PHSA-2023-4.0-0426
2023-07-13 00:00:00

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.954

Percentile

99.4%

JSON
Related for BAM-21267
atlassian7osv7ubuntucve2cvelist2nvd2github2debiancve2prion2cve2githubexploit10veracode2zdt2packetstorm2metasploit1alpinelinux1checkpoint_advisories1nessus1rapid7blog1photon1