{"id":"CVE-2020-12279","details":"An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. checkout.c mishandles equivalent filenames that exist because of NTFS short names. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1353.","modified":"2026-04-11T15:27:49.873790Z","published":"2020-04-27T17:15:13.470Z","related":["GHSA-589j-mmg9-733v"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/02/msg00034.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/03/msg00031.html"},{"type":"ADVISORY","url":"https://github.com/libgit2/libgit2/releases/tag/v0.28.4"},{"type":"ADVISORY","url":"https://github.com/libgit2/libgit2/releases/tag/v0.99.0"},{"type":"FIX","url":"https://github.com/git/git/security/advisories/GHSA-589j-mmg9-733v"},{"type":"FIX","url":"https://github.com/libgit2/libgit2/commit/64c612cc3e25eff5fb02c59ef5a66ba7a14751e4"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/libgit2/libgit2","events":[{"introduced":"0"},{"fixed":"106a5f27586504ea371528191f0ea3aac2ad432b"},{"fixed":"64c612cc3e25eff5fb02c59ef5a66ba7a14751e4"},{"fixed":"172239021f7ba04fe7327647b213799853a9eb89"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.28.4"}]}}],"versions":["v0.1.0","v0.10.0","v0.11.0","v0.12.0","v0.13.0","v0.14.0","v0.15.0","v0.16.0","v0.17.0","v0.18.0","v0.2.0","v0.21.0","v0.22.0","v0.22.0-rc1","v0.22.0-rc2","v0.23.0","v0.23.0-rc1","v0.23.0-rc2","v0.24.0","v0.24.0-rc1","v0.26.0","v0.26.0-rc1","v0.26.0-rc2","v0.27.0","v0.27.0-rc1","v0.27.0-rc2","v0.27.0-rc3","v0.28.0","v0.28.0-rc1","v0.28.1","v0.28.2","v0.28.3","v0.3.0","v0.8.0"],"database_specific":{"vanir_signatures_modified":"2026-04-11T15:27:49Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-12279.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0"}]}],"vanir_signatures":[{"source":"https://github.com/libgit2/libgit2/commit/64c612cc3e25eff5fb02c59ef5a66ba7a14751e4","signature_version":"v1","digest":{"function_hash":"54554569915003734768761110712720175172","length":109},"signature_type":"Function","id":"CVE-2020-12279-18c21614","deprecated":false,"target":{"function":"test_checkout_nasty__git_tilde1","file":"tests/checkout/nasty.c"}},{"source":"https://github.com/libgit2/libgit2/commit/64c612cc3e25eff5fb02c59ef5a66ba7a14751e4","signature_version":"v1","digest":{"line_hashes":["34151097703912068279059189515774524754","640971338307182747042490539310138101","261090504824042527251622828911835319539","190820267254834495437436494656192599698","109452042279548290592481542638704603152","183873679057880809488074463187073290050"],"threshold":0.9},"signature_type":"Line","id":"CVE-2020-12279-577666bb","deprecated":false,"target":{"file":"tests/checkout/nasty.c"}},{"source":"https://github.com/libgit2/libgit2/commit/64c612cc3e25eff5fb02c59ef5a66ba7a14751e4","signature_version":"v1","digest":{"function_hash":"270919345757994032373988505154932358300","length":636},"signature_type":"Function","id":"CVE-2020-12279-9b82710e","deprecated":false,"target":{"function":"checkout_verify_paths","file":"src/checkout.c"}},{"source":"https://github.com/libgit2/libgit2/commit/64c612cc3e25eff5fb02c59ef5a66ba7a14751e4","signature_version":"v1","digest":{"line_hashes":["91163887863019740474463251087811095055","163293920236655175007224761102751500986","304947559022233408970519915295579978259","337098278619693989970552484739974126394"],"threshold":0.9},"signature_type":"Line","id":"CVE-2020-12279-fa1bf32c","deprecated":false,"target":{"file":"src/checkout.c"}}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}