Advisory Database
  • Advisories
  • Dependency Scanning
  1. golang
  2. ›
  3. github.com/MichaelMure/git-bug
  4. ›
  5. CVE-2021-28955

CVE-2021-28955: Arbitrary code execution due to an uncontrolled search path for the git binary

May 25, 2021 (updated May 19, 2025)

The go language recently addressed a security issue in the way that binaries are found before being executed. Some operating systems like Windows persist to have the current directory being part of the default search path, and having priority over the system-wide path.

This means that it’s possible for a malicious user to craft for example a git.bat command, commit it and push it in a repository. Later when git-bug search for the git binary, this malicious executable can take priority and be executed.

References

  • github.com/MichaelMure/git-bug/pull/604
  • github.com/advisories/GHSA-m898-h4pm-pqfr
  • github.com/git-bug/git-bug
  • github.com/git-bug/git-bug/security/advisories/GHSA-m898-h4pm-pqfr
  • nvd.nist.gov/vuln/detail/CVE-2021-28955
  • vuln.ryotak.me/advisories/18

Code Behaviors & Features

Detect and mitigate CVE-2021-28955 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 0.7.2

Fixed versions

  • 0.7.2

Solution

Upgrade to version 0.7.2 or above.

Impact 9.8 CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Learn more about CVSS

Weakness

  • CWE-427: Uncontrolled Search Path Element

Source file

go/github.com/MichaelMure/git-bug/CVE-2021-28955.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Fri, 29 Aug 2025 00:19:03 +0000.