{"id":"CVE-2020-12278","details":"An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. path.c mishandles equivalent filenames that exist because of NTFS Alternate Data Streams. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1352.","modified":"2026-04-11T15:27:49.570051Z","published":"2020-04-27T17:15:13.407Z","related":["GHSA-5wph-8frv-58vj"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/02/msg00034.html"},{"type":"ADVISORY","url":"https://github.com/libgit2/libgit2/releases/tag/v0.28.4"},{"type":"ADVISORY","url":"https://github.com/libgit2/libgit2/releases/tag/v0.99.0"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/03/msg00031.html"},{"type":"ADVISORY","url":"https://github.com/git/git/security/advisories/GHSA-5wph-8frv-58vj"},{"type":"FIX","url":"https://github.com/libgit2/libgit2/commit/3f7851eadca36a99627ad78cbe56a40d3776ed01"},{"type":"FIX","url":"https://github.com/libgit2/libgit2/commit/e1832eb20a7089f6383cfce474f213157f5300cb"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/libgit2/libgit2","events":[{"introduced":"0"},{"fixed":"106a5f27586504ea371528191f0ea3aac2ad432b"},{"fixed":"3f7851eadca36a99627ad78cbe56a40d3776ed01"},{"fixed":"e1832eb20a7089f6383cfce474f213157f5300cb"},{"fixed":"172239021f7ba04fe7327647b213799853a9eb89"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.28.4"}]}}],"versions":["v0.1.0","v0.10.0","v0.11.0","v0.12.0","v0.13.0","v0.14.0","v0.15.0","v0.16.0","v0.17.0","v0.18.0","v0.2.0","v0.21.0","v0.22.0","v0.22.0-rc1","v0.22.0-rc2","v0.23.0","v0.23.0-rc1","v0.23.0-rc2","v0.24.0","v0.24.0-rc1","v0.26.0","v0.26.0-rc1","v0.26.0-rc2","v0.27.0","v0.27.0-rc1","v0.27.0-rc2","v0.27.0-rc3","v0.28.0","v0.28.0-rc1","v0.28.1","v0.28.2","v0.28.3","v0.3.0","v0.8.0"],"database_specific":{"vanir_signatures_modified":"2026-04-11T15:27:49Z","vanir_signatures":[{"deprecated":false,"signature_type":"Line","target":{"file":"tests/path/dotgit.c"},"id":"CVE-2020-12278-77fe0a52","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["108193159272336527294922498355120781778","168696676604906338760080497384714187929"]},"source":"https://github.com/libgit2/libgit2/commit/e1832eb20a7089f6383cfce474f213157f5300cb"},{"deprecated":false,"signature_type":"Line","target":{"file":"tests/checkout/nasty.c"},"id":"CVE-2020-12278-bc8b0a39","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["67643414561346827047252582287335553368","161775868457229572254969846233468835126","300749777448919314626617997008976429146"]},"source":"https://github.com/libgit2/libgit2/commit/3f7851eadca36a99627ad78cbe56a40d3776ed01"},{"deprecated":false,"signature_type":"Function","target":{"file":"src/path.c","function":"verify_dotgit_ntfs"},"id":"CVE-2020-12278-bf7ab8fe","signature_version":"v1","digest":{"length":635,"function_hash":"138464184776582813693965786405820629166"},"source":"https://github.com/libgit2/libgit2/commit/3f7851eadca36a99627ad78cbe56a40d3776ed01"},{"deprecated":false,"signature_type":"Function","target":{"file":"tests/path/dotgit.c","function":"test_path_dotgit__dotgit_modules_symlink"},"id":"CVE-2020-12278-c12fb24b","signature_version":"v1","digest":{"length":344,"function_hash":"215952766853611671430221167949782745440"},"source":"https://github.com/libgit2/libgit2/commit/e1832eb20a7089f6383cfce474f213157f5300cb"},{"deprecated":false,"signature_type":"Line","target":{"file":"src/path.c"},"id":"CVE-2020-12278-d524c03b","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["207333267718056996405747804506618814446","232915964967517859136355871988975093200","206563144425427101112601160652327453230","278549392676235406755515526898783769056"]},"source":"https://github.com/libgit2/libgit2/commit/3f7851eadca36a99627ad78cbe56a40d3776ed01"}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-12278.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}