CVE-2020-12278
libgit2 - security update
9.8
CRITICAL
CVSS 3.1
EPSS 6.0%
Description
An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. path.c mishandles equivalent filenames that exist because of NTFS Alternate Data Streams. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1352.
How to fix CVE-2020-12278
To remediate CVE-2020-12278, upgrade the affected package to a fixed version below.
- Debian/libgit2—upgrade to 0.28.4+dfsg.1-2 or later
- —upgrade to 0.27.7+dfsg.1-0.2+deb10u1 or later
Is CVE-2020-12278 being exploited?
Moderate — EPSS is 6.0%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (2)
- from 0, < 0.28.4+dfsg.1-2
- from 0, < 0.27.7+dfsg.1-0.2+deb10u1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |