CVE-2021-21300: 
vulnerability analysis and mitigation

Git versions between 2.14.2 and 2.30.1 contain a vulnerability (CVE-2021-21300) where a specially crafted repository containing symbolic links and files using clean/smudge filters (such as Git LFS) could cause arbitrary code execution during clone operations on case-insensitive filesystems like NTFS, HFS+, or APFS. The vulnerability was discovered and fixed in March 2021, affecting primarily Windows and macOS systems (GitHub Advisory, Git Announcement).

The vulnerability occurs when cloning repositories on case-insensitive filesystems with symbolic link support enabled and global configuration of clean/smudge filters. Git for Windows was particularly vulnerable as it configures Git LFS by default. The issue stems from an invalid lstat cache state during checkout operations, which could cause Git to follow symbolic links and write files to unintended locations, potentially outside the repository (GitHub Advisory).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code on the target system during the clone operation, with the privileges of the user running Git. The impact is particularly significant on Windows and macOS systems where case-insensitive filesystems are the default (GitHub Advisory, Debian Advisory).

The vulnerability was patched in Git versions 2.30.2, 2.29.3, 2.28.1, 2.27.1, 2.26.3, 2.25.5, 2.24.4, 2.23.4, 2.22.5, 2.21.4, 2.20.5, 2.19.6, 2.18.5, and 2.17.6. For unpatched systems, workarounds include disabling symbolic link support (git config --global core.symlinks false) or ensuring no clean/smudge filters are configured globally before cloning. Users are advised to avoid cloning repositories from untrusted sources (GitHub Advisory, Git Announcement).