CVE-2021-28955: Arbitrary code execution due to an uncontrolled search path for the git binary
(updated )
The go language recently addressed a security issue in the way that binaries are found before being executed. Some operating systems like Windows persist to have the current directory being part of the default search path, and having priority over the system-wide path.
This means that it’s possible for a malicious user to craft for example a git.bat
command, commit it and push it in a repository. Later when git-bug search for the git binary, this malicious executable can take priority and be executed.
References
Code Behaviors & Features
Detect and mitigate CVE-2021-28955 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →