GitHub's security list indicates that vulnerabilities in its software allow arbitrary code to be executed on the client platform if a particular command is executed, namely "git clone -- recurse - submodules". It explains:
When running "git clone -- recurse - submodules," Git parses the URL field in the supplied. git modules file and blindly passes it as a parameter to the "git clone" child process. If the URL field is set to a string beginning with a dash, the "git clone" child interprets the URL as an option. This may lead to execution of any script in a super project as a user running "git clone".
In a blog article,MicrosoftClarifying this problem only affects platforms based on Unix, such as Linux and macOS, or applies toWindowsThe person running git in the Linux distribution of the subsystem Linux (WSL). This is because a colon is required in the file name written to disk when exploiting the vulnerability, and because the Windows file system does not support colons, Git for Windows does not write to the file.
The company also noted its use of Git on any platform (macOS, Windows).Visual StudioProducts are not affected, but GitHub still advises users to upgrade to Git version 2.17.2,2.18.1 and 2.19.1.