CVE-2021-21237: 
Git LFS vulnerability analysis and mitigation

CVE-2021-21237 is a critical security vulnerability affecting Git LFS on Windows systems. The vulnerability was discovered in January 2021 and is related to an incomplete fix for CVE-2020-27955. The issue affects Git LFS versions prior to 2.13.2, including implementations in software like SourceTree for Windows (versions up to 3.4.2) and Bamboo elastic agent AMI for Windows (versions up to 7.2.2) (GitHub Advisory, Atlassian KB).

The vulnerability occurs because on Windows, Go includes and prefers the current directory when the name of a command run does not contain a directory separator. When Git LFS operates on a malicious repository containing a git.bat or git.exe file in the current directory, that program would be executed, allowing for arbitrary code execution. This security issue specifically affects Windows systems and does not impact Unix systems. The vulnerability has been assigned a CVSS score of 7.8 (High), with attack vector being Local, attack complexity Low, and requiring user interaction (GitHub Advisory).

If exploited, the vulnerability allows attackers to execute arbitrary commands on the target system through a malicious repository when Git LFS operations are performed. This could lead to complete system compromise with high impact on confidentiality, integrity, and availability of the affected system (GitHub Advisory).

The vulnerability was patched in Git LFS version 2.13.2, SourceTree for Windows version 3.4.3, and Bamboo version 7.2.3. Users are strongly advised to upgrade to these or later versions. For users unable to upgrade immediately, the only workaround is to avoid untrusted repositories or use a different operating system (GitHub Advisory, Atlassian KB).