CVE-2020-27955: 
Git LFS vulnerability analysis and mitigation

Git Large File Storage (Git LFS) version 2.12.0 and earlier contained a critical Remote Code Execution (RCE) vulnerability identified as CVE-2020-27955. The vulnerability was discovered by Dawid Golunski and disclosed on November 4, 2020. This security flaw affected Windows systems using Git LFS, impacting multiple popular Git clients including Git for Windows, GitHub CLI, GitHub Desktop, Visual Studio Code, GitKraken, SmartGit, and SourceTree in their default configurations (Legal Hackers Advisory).

The vulnerability stems from Git LFS not specifying a full path to the git binary when executing a new git process via the ExecCommand() function in subprocess/subprocess_windows.go. Since Windows systems include the current directory in the exec.Command() implementation, attackers could exploit this by planting a malicious executable file named git.bat, git.exe, or git.cmd in the repository's main directory. This malicious file would then be executed instead of the legitimate git binary located in the trusted path (Legal Hackers Advisory).

The vulnerability could lead to a full system compromise as attackers could execute arbitrary commands remotely without the victim's knowledge. The attack vector was particularly concerning as it only required the victim to clone a malicious repository using common git version control tools. This affected various Windows systems, including Windows Server 2019 and Windows 10 Pro (Legal Hackers Advisory).

The vulnerability was patched in Git LFS version 2.12.1. Due to the critical severity of the vulnerability, users and product vendors were advised to update to the latest git-lfs version as soon as possible. The fix involved properly specifying the full path to the git binary when executing new git processes (Legal Hackers Advisory).