What is it?
The vulnerability allows an attacker to execute arbitrary code on a victim machine with a malicious repository. This vulnerability is only present on Windows. However, Git for Windows is shipped with Git LFS and therefore all Windows customers can be affected.
Example situation: Joe Company clones the open source repo http://www.github.com/bad/repo.git to a corporate machine. This action would allow an attacker to take over Joe’s machine and hack the company network.
More information on this vulnerability can be found in the CVE-2020-27955 Security Notice.
How do we remediate it?
Download and install the newest build of Git for Windows on all Windows machines to patch for this vulnerability or run git update-git-for-windows
to patch for this vulnerability.
Need assistance?
If you find you need further assistance, please reach out to the team by submitting an issue.