CVE-2020-12279

moderate-risk
Published 2020-04-27

An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. checkout.c mishandles equivalent filenames that exist because of NTFS short names. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1353.

Do I need to act?

~
5.2% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 106a5f27586504ea371528191f0ea3aac2ad432b, 64c612cc3e25eff5fb02c59ef5a66ba7a14751e4, 172239021f7ba04fe7327647b213799853a9eb89
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (2)

Libgit2

Affected Vendors

Debian Libgit2

References (12)

Patch https://github.com/git/git/security/advisories/GHSA-589j-mmg9-733v
Patch https://github.com/libgit2/libgit2/commit/64c612cc3e25eff5fb02c59ef5a66ba7a14751...
Release Notes https://github.com/libgit2/libgit2/releases/tag/v0.28.4
Release Notes https://github.com/libgit2/libgit2/releases/tag/v0.99.0
Mailing List https://lists.debian.org/debian-lts-announce/2022/03/msg00031.html
https://lists.debian.org/debian-lts-announce/2023/02/msg00034.html
Patch https://github.com/git/git/security/advisories/GHSA-589j-mmg9-733v
Patch https://github.com/libgit2/libgit2/commit/64c612cc3e25eff5fb02c59ef5a66ba7a14751...
Release Notes https://github.com/libgit2/libgit2/releases/tag/v0.28.4
Release Notes https://github.com/libgit2/libgit2/releases/tag/v0.99.0
Mailing List https://lists.debian.org/debian-lts-announce/2022/03/msg00031.html
https://lists.debian.org/debian-lts-announce/2023/02/msg00034.html
47
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 8/34 · Low
Exposure 7/34 · Low