CVE-2020-12278
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2020-12278
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-12278.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2020-12278
- Downstream
- Related
- Published
- 2020-04-27T17:15:13Z
- Modified
- 2025-08-19T14:23:43.453815Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. path.c mishandles equivalent filenames that exist because of NTFS Alternate Data Streams. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1352.
- References
-
- https://github.com/git/git/security/advisories/GHSA-5wph-8frv-58vj
- https://github.com/libgit2/libgit2/commit/3f7851eadca36a99627ad78cbe56a40d3776ed01
- https://github.com/libgit2/libgit2/commit/e1832eb20a7089f6383cfce474f213157f5300cb
- https://github.com/libgit2/libgit2/releases/tag/v0.28.4
- https://github.com/libgit2/libgit2/releases/tag/v0.99.0
- https://lists.debian.org/debian-lts-announce/2022/03/msg00031.html
- https://lists.debian.org/debian-lts-announce/2023/02/msg00034.html
- https://security-tracker.debian.org/tracker/CVE-2020-12278
Affected packages
Debian:11 / libgit2
Package
- Name
- libgit2
- Purl
- pkg:deb/debian/libgit2?arch=source
Debian:12 / libgit2
Package
- Name
- libgit2
- Purl
- pkg:deb/debian/libgit2?arch=source
Debian:13 / libgit2
Package
- Name
- libgit2
- Purl
- pkg:deb/debian/libgit2?arch=source
Debian:14 / libgit2
Package
- Name
- libgit2
- Purl
- pkg:deb/debian/libgit2?arch=source
Git / github.com/libgit2/libgit2
Affected ranges
- Type
- GIT
- Repo
- https://github.com/libgit2/libgit2
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixedFixedFixed
Affected versions
v0.*
v0.1.0
v0.10.0
v0.11.0
v0.12.0
v0.13.0
v0.14.0
v0.15.0
v0.16.0
v0.17.0
v0.18.0
v0.19.0
v0.2.0
v0.20.0
v0.21.0
v0.21.0-rc1
v0.21.0-rc2
v0.22.0
v0.22.0-rc1
v0.22.0-rc2
v0.23.0
v0.23.0-rc1
v0.23.0-rc2
v0.24.0
v0.24.0-rc1
v0.24.4
v0.25.0
v0.25.0-rc1
v0.25.0-rc2
v0.25.1
v0.26.0
v0.26.0-rc1
v0.26.0-rc2
v0.27.0
v0.27.0-rc1
v0.27.0-rc2
v0.27.0-rc3
v0.28.0
v0.28.0-rc1
v0.28.1
v0.28.2
v0.28.3
v0.3.0
v0.8.0