CVE-2020-12278
Ubuntu Security Notice USN-6678-1
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. path.c mishandles equivalent filenames that exist because of NTFS Alternate Data Streams. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1352.
Se descubrió un problema en libgit2 versiones anteriores a 0.28.4 y versiones 0.9x anteriores a 0.99.0. El archivo path.c maneja inapropiadamente los nombres de archivo equivalentes que existen debido al Flujo de Datos Alternativo de NTFS. Esto puede permitir una ejecución de código remota al clonar un repositorio. Este problema es similar a CVE-2019-1352.
It was discovered that libgit2 mishandled equivalent filenames on NTFS partitions. If a user or automated system were tricked into cloning a specially crafted repository, an attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. It was discovered that libgit2 did not perform certificate checking by default. An attacker could possibly use this issue to perform a machine-in-the-middle attack. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-04-27 CVE Reserved
- 2020-04-27 CVE Published
- 2024-08-04 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-706: Use of Incorrectly-Resolved Name or Reference
CAPEC
References (7)
| URL | Tag | Source |
|---|---|---|
| https://github.com/git/git/security/advisories/GHSA-5wph-8frv-58vj | Third Party Advisory | |
| https://github.com/libgit2/libgit2/releases/tag/v0.28.4 | Release Notes | |
| https://github.com/libgit2/libgit2/releases/tag/v0.99.0 | Release Notes | |
| https://lists.debian.org/debian-lts-announce/2022/03/msg00031.html | Mailing List |
|
| https://lists.debian.org/debian-lts-announce/2023/02/msg00034.html | Mailing List |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Libgit2 Search vendor "Libgit2" | Libgit2 Search vendor "Libgit2" for product "Libgit2" | < 0.28.4 Search vendor "Libgit2" for product "Libgit2" and version " < 0.28.4" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||