CVE-2020-12278 — Improper Input Validation in Libgit2
Severity
9.8CRITICALNVD
OSV8.8
EPSS
6.0%
top 9.28%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 27
Latest updateMar 5
Description
An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. path.c mishandles equivalent filenames that exist because of NTFS Alternate Data Streams. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1352.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9
Affected Packages4 packages
Also affects: Debian Linux 9.0
Patches
🔴Vulnerability Details
3📋Vendor Advisories
3💬Community
6Bugzilla▶
CVE-2020-12278 libgit2: files inside the .git directory may be overwritten during cloning via NTFS Alternate Data Streams [fedora-all]↗2020-04-29
Bugzilla▶
CVE-2020-12278 libgit2:0.28/libgit2: files inside the .git directory may be overwritten during cloning via NTFS Alternate Data Streams [fedora-all]↗2020-04-29
Bugzilla▶
CVE-2020-12278 libgit2:0.27/libgit2: files inside the .git directory may be overwritten during cloning via NTFS Alternate Data Streams [fedora-all]↗2020-04-29
Bugzilla▶
CVE-2020-12278 libgit2: files inside the .git directory may be overwritten during cloning via NTFS Alternate Data Streams [epel-all]↗2020-04-29
Bugzilla▶
CVE-2020-12278 libgit2:0.26/libgit2: files inside the .git directory may be overwritten during cloning via NTFS Alternate Data Streams [fedora-all]↗2020-04-29