CVE-2020-12279 : An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. checkou

An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. checkout.c mishandles equivalent filenames that exist because of NTFS short names. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1353.

Published 2020-04-27 17:15:13

Updated 2023-02-24 00:15:11

Source MITRE

View at NVD, CVE.org

Vulnerability category: Execute code

Products affected by CVE-2020-12279

Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Libgit2 » Libgit2
Versions before (<) 0.28.4
cpe:2.3:a:libgit2:libgit2:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-12279

EPSS FAQ

5.58%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 89 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-12279

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2020-12279

CWE-706 Use of Incorrectly-Resolved Name or Reference

The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2020-12279

https://github.com/libgit2/libgit2/releases/tag/v0.99.0

Release libgit2 v0.99.0 · libgit2/libgit2 · GitHub
Release Notes;Third Party Advisory

CVEs referencing this url
https://github.com/libgit2/libgit2/commit/64c612cc3e25eff5fb02c59ef5a66ba7a14751e4

Protect against 8.3 "short name" attacks also on Linux/macOS · libgit2/libgit2@64c612c · GitHub
Patch;Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/03/msg00031.html

[SECURITY] [DLA 2936-1] libgit2 security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://github.com/git/git/security/advisories/GHSA-589j-mmg9-733v

Git needs NTFS-related protections outside of Git for Windows · Advisory · git/git · GitHub
Patch;Third Party Advisory
https://github.com/libgit2/libgit2/releases/tag/v0.28.4

Release libgit2 v0.28.4 · libgit2/libgit2 · GitHub
Release Notes;Third Party Advisory

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2023/02/msg00034.html

[SECURITY] [DLA 3340-1] libgit2 security update

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2020-12279

Products affected by CVE-2020-12279

Exploit prediction scoring system (EPSS) score for CVE-2020-12279

CVSS scores for CVE-2020-12279

CWE ids for CVE-2020-12279

References for CVE-2020-12279