CVE-2020-12278
CRITICALlibgit2 < 0.28.4 and 0.9x < 0.99.0 - Remote Code Execution via NTFS Alternate Data Stream Path Handling
Title source: llmDescription
An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. path.c mishandles equivalent filenames that exist because of NTFS Alternate Data Streams. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1352.
References (7)
Core 7
Core References
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2022/03/msg00031.html
Third Party Advisory
https://github.com/git/git/security/advisories/GHSA-5wph-8frv-58vj
Patch, Third Party Advisory
https://github.com/libgit2/libgit2/commit/3f7851eadca36a99627ad78cbe56a40d3776ed01
Patch, Third Party Advisory
https://github.com/libgit2/libgit2/commit/e1832eb20a7089f6383cfce474f213157f5300cb
Release Notes, Third Party Advisory
https://github.com/libgit2/libgit2/releases/tag/v0.28.4
Release Notes, Third Party Advisory
https://github.com/libgit2/libgit2/releases/tag/v0.99.0
Mailing List mailing-list
https://lists.debian.org/debian-lts-announce/2023/02/msg00034.html
Scores
CVSS v3
9.8
EPSS
0.0525
EPSS Percentile
91.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-706
Status
published
Products (2)
debian/debian_linux
9.0
libgit2/libgit2
< 0.28.4
Published
Apr 27, 2020
Tracked Since
Feb 18, 2026