Vulnerability Details CVE-2020-12279
An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. checkout.c mishandles equivalent filenames that exist because of NTFS short names. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1353.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.065
EPSS Ranking 90.7%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- https://github.com/git/git/security/advisories/GHSA-589j-mmg9-733v
- https://github.com/libgit2/libgit2/commit/64c612cc3e25eff5fb02c59ef5a66ba7a14751e4
- https://github.com/libgit2/libgit2/releases/tag/v0.28.4
- https://github.com/libgit2/libgit2/releases/tag/v0.99.0
- https://lists.debian.org/debian-lts-announce/2022/03/msg00031.html
- https://lists.debian.org/debian-lts-announce/2023/02/msg00034.html
- https://github.com/git/git/security/advisories/GHSA-589j-mmg9-733v
- https://github.com/libgit2/libgit2/commit/64c612cc3e25eff5fb02c59ef5a66ba7a14751e4
- https://github.com/libgit2/libgit2/releases/tag/v0.28.4
- https://github.com/libgit2/libgit2/releases/tag/v0.99.0
- https://lists.debian.org/debian-lts-announce/2022/03/msg00031.html
- https://lists.debian.org/debian-lts-announce/2023/02/msg00034.html
Products affected by CVE-2020-12279
-
cpe:2.3:a:libgit2:libgit2:-
-
cpe:2.3:a:libgit2:libgit2:0.1.0
-
cpe:2.3:a:libgit2:libgit2:0.10.0
-
cpe:2.3:a:libgit2:libgit2:0.11.0
-
cpe:2.3:a:libgit2:libgit2:0.12.0
-
cpe:2.3:a:libgit2:libgit2:0.13.0
-
cpe:2.3:a:libgit2:libgit2:0.14.0
-
cpe:2.3:a:libgit2:libgit2:0.15.0
-
cpe:2.3:a:libgit2:libgit2:0.16.0
-
cpe:2.3:a:libgit2:libgit2:0.17.0
-
cpe:2.3:a:libgit2:libgit2:0.18.0
-
cpe:2.3:a:libgit2:libgit2:0.19.0
-
cpe:2.3:a:libgit2:libgit2:0.2.0
-
cpe:2.3:a:libgit2:libgit2:0.20.0
-
cpe:2.3:a:libgit2:libgit2:0.21.0
-
cpe:2.3:a:libgit2:libgit2:0.21.1
-
cpe:2.3:a:libgit2:libgit2:0.21.2
-
cpe:2.3:a:libgit2:libgit2:0.21.3
-
cpe:2.3:a:libgit2:libgit2:0.21.4
-
cpe:2.3:a:libgit2:libgit2:0.21.5
-
cpe:2.3:a:libgit2:libgit2:0.22.0
-
cpe:2.3:a:libgit2:libgit2:0.22.1
-
cpe:2.3:a:libgit2:libgit2:0.22.2
-
cpe:2.3:a:libgit2:libgit2:0.22.3
-
cpe:2.3:a:libgit2:libgit2:0.23.0
-
cpe:2.3:a:libgit2:libgit2:0.23.1
-
cpe:2.3:a:libgit2:libgit2:0.23.2
-
cpe:2.3:a:libgit2:libgit2:0.23.3
-
cpe:2.3:a:libgit2:libgit2:0.23.4
-
cpe:2.3:a:libgit2:libgit2:0.24.0
-
cpe:2.3:a:libgit2:libgit2:0.24.1
-
cpe:2.3:a:libgit2:libgit2:0.24.2
-
cpe:2.3:a:libgit2:libgit2:0.24.3
-
cpe:2.3:a:libgit2:libgit2:0.24.4
-
cpe:2.3:a:libgit2:libgit2:0.24.5
-
cpe:2.3:a:libgit2:libgit2:0.24.6
-
cpe:2.3:a:libgit2:libgit2:0.25.0
-
cpe:2.3:a:libgit2:libgit2:0.25.1
-
cpe:2.3:a:libgit2:libgit2:0.26.0
-
cpe:2.3:a:libgit2:libgit2:0.26.1
-
cpe:2.3:a:libgit2:libgit2:0.26.2
-
cpe:2.3:a:libgit2:libgit2:0.26.3
-
cpe:2.3:a:libgit2:libgit2:0.26.4
-
cpe:2.3:a:libgit2:libgit2:0.26.5
-
cpe:2.3:a:libgit2:libgit2:0.26.6
-
cpe:2.3:a:libgit2:libgit2:0.26.7
-
cpe:2.3:a:libgit2:libgit2:0.26.8
-
cpe:2.3:a:libgit2:libgit2:0.27.0
-
cpe:2.3:a:libgit2:libgit2:0.27.1
-
cpe:2.3:a:libgit2:libgit2:0.27.10
-
cpe:2.3:a:libgit2:libgit2:0.27.2
-
cpe:2.3:a:libgit2:libgit2:0.27.3
-
cpe:2.3:a:libgit2:libgit2:0.27.4
-
cpe:2.3:a:libgit2:libgit2:0.27.5
-
cpe:2.3:a:libgit2:libgit2:0.27.6
-
cpe:2.3:a:libgit2:libgit2:0.27.7
-
cpe:2.3:a:libgit2:libgit2:0.27.8
-
cpe:2.3:a:libgit2:libgit2:0.27.9
-
cpe:2.3:a:libgit2:libgit2:0.28.0
-
cpe:2.3:a:libgit2:libgit2:0.28.1
-
cpe:2.3:a:libgit2:libgit2:0.28.2
-
cpe:2.3:a:libgit2:libgit2:0.28.3
-
cpe:2.3:a:libgit2:libgit2:0.3.0
-
cpe:2.3:a:libgit2:libgit2:0.8.0
-
cpe:2.3:o:debian:debian_linux:9.0