{"api_version":"1","generated_at":"2026-04-23T01:19:12+00:00","cve":"CVE-2020-12278","urls":{"html":"https://cve.report/CVE-2020-12278","api":"https://cve.report/api/cve/CVE-2020-12278.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-12278","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-12278"},"summary":{"title":"CVE-2020-12278","description":"An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. path.c mishandles equivalent filenames that exist because of NTFS Alternate Data Streams. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1352.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2020-04-27 17:15:00","updated_at":"2023-02-24 00:15:00"},"problem_types":["CWE-706"],"metrics":[],"references":[{"url":"https://github.com/libgit2/libgit2/commit/3f7851eadca36a99627ad78cbe56a40d3776ed01","name":"https://github.com/libgit2/libgit2/commit/3f7851eadca36a99627ad78cbe56a40d3776ed01","refsource":"MISC","tags":["Patch"],"title":"Disallow NTFS Alternate Data Stream attacks, even on Linux/macOS · libgit2/libgit2@3f7851e · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/libgit2/libgit2/releases/tag/v0.28.4","name":"https://github.com/libgit2/libgit2/releases/tag/v0.28.4","refsource":"MISC","tags":["Release Notes"],"title":"Release libgit2 v0.28.4 · libgit2/libgit2 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/libgit2/libgit2/commit/e1832eb20a7089f6383cfce474f213157f5300cb","name":"https://github.com/libgit2/libgit2/commit/e1832eb20a7089f6383cfce474f213157f5300cb","refsource":"MISC","tags":["Patch"],"title":"path: also guard `.gitmodules` against NTFS Alternate Data Streams · libgit2/libgit2@e1832eb · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/libgit2/libgit2/releases/tag/v0.99.0","name":"https://github.com/libgit2/libgit2/releases/tag/v0.99.0","refsource":"MISC","tags":["Release Notes"],"title":"Release libgit2 v0.99.0 · libgit2/libgit2 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2022/03/msg00031.html","name":"[debian-lts-announce] 20220321 [SECURITY] [DLA 2936-1] libgit2 security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 2936-1] libgit2 security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/git/git/security/advisories/GHSA-5wph-8frv-58vj","name":"https://github.com/git/git/security/advisories/GHSA-5wph-8frv-58vj","refsource":"MISC","tags":["Third Party Advisory"],"title":"Git mishandles the default NTFS Alternate Data Streams · Advisory · git/git · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://lists.debian.org/debian-lts-announce/2023/02/msg00034.html","name":"[debian-lts-announce] 20230223 [SECURITY] [DLA 3340-1] libgit2 security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3340-1] libgit2 security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-12278","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-12278","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"12278","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"12278","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"libgit2","cpe5":"libgit2","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"12278","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"libgit2","cpe5":"libgit2","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2020-12278","qid":"179136","title":"Debian Security Update for libgit2 (DLA 2936-1)"},{"cve":"CVE-2020-12278","qid":"181608","title":"Debian Security Update for libgit2 (DLA 3340-1)"},{"cve":"CVE-2020-12278","qid":"200167","title":"Ubuntu Security Notification for libgit2 Vulnerabilities (USN-6678-1)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2020-12278","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. path.c mishandles equivalent filenames that exist because of NTFS Alternate Data Streams. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1352."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://github.com/git/git/security/advisories/GHSA-5wph-8frv-58vj","refsource":"MISC","name":"https://github.com/git/git/security/advisories/GHSA-5wph-8frv-58vj"},{"url":"https://github.com/libgit2/libgit2/releases/tag/v0.99.0","refsource":"MISC","name":"https://github.com/libgit2/libgit2/releases/tag/v0.99.0"},{"url":"https://github.com/libgit2/libgit2/releases/tag/v0.28.4","refsource":"MISC","name":"https://github.com/libgit2/libgit2/releases/tag/v0.28.4"},{"url":"https://github.com/libgit2/libgit2/commit/3f7851eadca36a99627ad78cbe56a40d3776ed01","refsource":"MISC","name":"https://github.com/libgit2/libgit2/commit/3f7851eadca36a99627ad78cbe56a40d3776ed01"},{"url":"https://github.com/libgit2/libgit2/commit/e1832eb20a7089f6383cfce474f213157f5300cb","refsource":"MISC","name":"https://github.com/libgit2/libgit2/commit/e1832eb20a7089f6383cfce474f213157f5300cb"},{"refsource":"MLIST","name":"[debian-lts-announce] 20220321 [SECURITY] [DLA 2936-1] libgit2 security update","url":"https://lists.debian.org/debian-lts-announce/2022/03/msg00031.html"},{"refsource":"MLIST","name":"[debian-lts-announce] 20230223 [SECURITY] [DLA 3340-1] libgit2 security update","url":"https://lists.debian.org/debian-lts-announce/2023/02/msg00034.html"}]}},"nvd":{"publishedDate":"2020-04-27 17:15:00","lastModifiedDate":"2023-02-24 00:15:00","problem_types":["CWE-706"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":7.5},"severity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:libgit2:libgit2:*:*:*:*:*:*:*:*","versionEndExcluding":"0.28.4","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"12278","Ordinal":"173420","Title":"CVE-2020-12278","CVE":"CVE-2020-12278","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"12278","Ordinal":"1","NoteData":"An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. path.c mishandles equivalent filenames that exist because of NTFS Alternate Data Streams. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1352.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"12278","Ordinal":"2","NoteData":"2020-04-27","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"12278","Ordinal":"3","NoteData":"2020-04-27","Type":"Other","Title":"Modified"}]}}}