CVE-2021-29468
Cygwin Git is a patch set for the git command line tool for the cygwin environment. A specially crafted repository that contains symbolic links as well as files with backslash characters in the file name may cause just-checked out code to be executed while checking out a repository using Git on Cygwin. The problem will be patched in the Cygwin Git v2.31.1-2 release. At time of writing, the vulnerability is present in the upstream Git source code; any Cygwin user who compiles Git for themselves from upstream sources should manually apply a patch to mitigate the vulnerability. As mitigation users should not clone or pull from repositories from untrusted sources. CVE-2019-1354 was an equivalent vulnerability in Git for Visual Studio.
EPSS 0.55% · 68.1th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| me-and | Cygwin-Git | < 2.31.1-2 |
| cygwin | git | 0 |
Timeline
- Apr 29, 2021 CVE Published
- Apr 30, 2021 EPSS Score
- Jul 3, 2021 EPSS Score
- Sep 3, 2021 EPSS Score
- Jan 5, 2022 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Mar 9, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- Jul 11, 2022 EPSS Score
- Sep 12, 2022 EPSS Score
- Nov 13, 2022 EPSS Score
References
- https://github.com/me-and/Cygwin-Git/security/advisories/GHSA-rmp3-wq55-f557 url
- https://github.com/me-and/Cygwin-Git/blob/main/check-backslash-safety.patch url
- https://cygwin.com/pipermail/cygwin-announce/2021-April/010018.html url
- https://lore.kernel.org/git/CA+kUOa=juEdBMVr_gyTKjz7PkPt2DZHkXQyzcQmAWCsEHC_ssw%40mail.gmail.com/T/#u url