CVE-2020-12278
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2020-12278
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-12278.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2020-12278
- Downstream
- Related
- Published
- 2020-04-27T17:15:13Z
- Modified
- 2025-09-19T11:39:17.229193Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. path.c mishandles equivalent filenames that exist because of NTFS Alternate Data Streams. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1352.
- References
-
- https://github.com/git/git/security/advisories/GHSA-5wph-8frv-58vj
- https://github.com/libgit2/libgit2/commit/3f7851eadca36a99627ad78cbe56a40d3776ed01
- https://github.com/libgit2/libgit2/commit/e1832eb20a7089f6383cfce474f213157f5300cb
- https://github.com/libgit2/libgit2/releases/tag/v0.28.4
- https://github.com/libgit2/libgit2/releases/tag/v0.99.0
- https://lists.debian.org/debian-lts-announce/2022/03/msg00031.html
- https://lists.debian.org/debian-lts-announce/2023/02/msg00034.html
Affected packages
Git / github.com/libgit2/libgit2
Affected ranges
- Type
- GIT
- Repo
- https://github.com/libgit2/libgit2
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixedFixedFixed
Affected versions
v0.*
v0.1.0
v0.10.0
v0.11.0
v0.12.0
v0.13.0
v0.14.0
v0.15.0
v0.16.0
v0.17.0
v0.18.0
v0.19.0
v0.2.0
v0.20.0
v0.21.0
v0.21.0-rc1
v0.21.0-rc2
v0.22.0
v0.22.0-rc1
v0.22.0-rc2
v0.23.0
v0.23.0-rc1
v0.23.0-rc2
v0.24.0
v0.24.0-rc1
v0.24.4
v0.25.0
v0.25.0-rc1
v0.25.0-rc2
v0.25.1
v0.26.0
v0.26.0-rc1
v0.26.0-rc2
v0.27.0
v0.27.0-rc1
v0.27.0-rc2
v0.27.0-rc3
v0.28.0
v0.28.0-rc1
v0.28.1
v0.28.2
v0.28.3
v0.3.0
v0.8.0
Database specific
{
"vanir_signatures": [
{
"id": "CVE-2020-12278-77fe0a52",
"signature_type": "Line",
"digest": {
"line_hashes": [
"108193159272336527294922498355120781778",
"168696676604906338760080497384714187929"
],
"threshold": 0.9
},
"target": {
"file": "tests/path/dotgit.c"
},
"deprecated": false,
"signature_version": "v1",
"source": "https://github.com/libgit2/libgit2/commit/e1832eb20a7089f6383cfce474f213157f5300cb"
},
{
"id": "CVE-2020-12278-bc8b0a39",
"signature_type": "Line",
"digest": {
"line_hashes": [
"67643414561346827047252582287335553368",
"161775868457229572254969846233468835126",
"300749777448919314626617997008976429146"
],
"threshold": 0.9
},
"target": {
"file": "tests/checkout/nasty.c"
},
"deprecated": false,
"signature_version": "v1",
"source": "https://github.com/libgit2/libgit2/commit/3f7851eadca36a99627ad78cbe56a40d3776ed01"
},
{
"id": "CVE-2020-12278-bf7ab8fe",
"signature_type": "Function",
"digest": {
"function_hash": "138464184776582813693965786405820629166",
"length": 635.0
},
"target": {
"file": "src/path.c",
"function": "verify_dotgit_ntfs"
},
"deprecated": false,
"signature_version": "v1",
"source": "https://github.com/libgit2/libgit2/commit/3f7851eadca36a99627ad78cbe56a40d3776ed01"
},
{
"id": "CVE-2020-12278-c12fb24b",
"signature_type": "Function",
"digest": {
"function_hash": "215952766853611671430221167949782745440",
"length": 344.0
},
"target": {
"file": "tests/path/dotgit.c",
"function": "test_path_dotgit__dotgit_modules_symlink"
},
"deprecated": false,
"signature_version": "v1",
"source": "https://github.com/libgit2/libgit2/commit/e1832eb20a7089f6383cfce474f213157f5300cb"
},
{
"id": "CVE-2020-12278-d524c03b",
"signature_type": "Line",
"digest": {
"line_hashes": [
"207333267718056996405747804506618814446",
"232915964967517859136355871988975093200",
"206563144425427101112601160652327453230",
"278549392676235406755515526898783769056"
],
"threshold": 0.9
},
"target": {
"file": "src/path.c"
},
"deprecated": false,
"signature_version": "v1",
"source": "https://github.com/libgit2/libgit2/commit/3f7851eadca36a99627ad78cbe56a40d3776ed01"
}
]
}