{"id":"CVE-2020-12278","details":"An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. path.c mishandles equivalent filenames that exist because of NTFS Alternate Data Streams. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1352.","aliases":["GHSA-5wph-8frv-58vj"],"modified":"2026-05-18T10:46:43.726236Z","published":"2020-04-27T17:15:13.407Z","database_specific":{"unresolved_ranges":[{"source":"CPE_FIELD","extracted_events":[{"last_affected":"9.0"}],"vendor_product":"debian:debian_linux","cpes":["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"]}]},"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/02/msg00034.html"},{"type":"ADVISORY","url":"https://github.com/git/git/security/advisories/GHSA-5wph-8frv-58vj"},{"type":"ADVISORY","url":"https://github.com/libgit2/libgit2/releases/tag/v0.28.4"},{"type":"ADVISORY","url":"https://github.com/libgit2/libgit2/releases/tag/v0.99.0"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/03/msg00031.html"},{"type":"FIX","url":"https://github.com/libgit2/libgit2/commit/3f7851eadca36a99627ad78cbe56a40d3776ed01"},{"type":"FIX","url":"https://github.com/libgit2/libgit2/commit/e1832eb20a7089f6383cfce474f213157f5300cb"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/libgit2/libgit2","events":[{"introduced":"0"},{"fixed":"106a5f27586504ea371528191f0ea3aac2ad432b"},{"fixed":"3f7851eadca36a99627ad78cbe56a40d3776ed01"},{"fixed":"e1832eb20a7089f6383cfce474f213157f5300cb"},{"fixed":"172239021f7ba04fe7327647b213799853a9eb89"}],"database_specific":{"cpe":"cpe:2.3:a:libgit2:libgit2:*:*:*:*:*:*:*:*","source":["CPE_FIELD","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"0.28.4"}]}}],"versions":["v0.28.3","v0.28.2","v0.28.1","v0.28.0-rc1","v0.28.0","v0.27.0","v0.27.0-rc3","v0.26.0-rc2","v0.26.0","v0.27.0-rc1","v0.27.0-rc2","v0.26.0-rc1","v0.24.0","v0.24.0-rc1","v0.23.0","v0.23.0-rc2","v0.23.0-rc1","v0.22.0","v0.22.0-rc2","v0.22.0-rc1","v0.21.0","v0.18.0","v0.17.0","v0.16.0","v0.15.0","v0.14.0","v0.13.0","v0.12.0","v0.11.0","v0.10.0","v0.8.0","v0.3.0","v0.2.0","v0.1.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-12278.json","vanir_signatures":[{"digest":{"length":187,"function_hash":"334228689799873034616583224043572814311"},"signature_version":"v1","source":"https://github.com/libgit2/libgit2/commit/e1832eb20a7089f6383cfce474f213157f5300cb","deprecated":false,"signature_type":"Function","id":"CVE-2020-12278-057b646f","target":{"file":"src/path.c","function":"only_spaces_and_dots"}},{"digest":{"threshold":0.9,"line_hashes":["108193159272336527294922498355120781778","168696676604906338760080497384714187929"]},"signature_version":"v1","source":"https://github.com/libgit2/libgit2/commit/e1832eb20a7089f6383cfce474f213157f5300cb","deprecated":false,"signature_type":"Line","id":"CVE-2020-12278-77fe0a52","target":{"file":"tests/path/dotgit.c"}},{"digest":{"threshold":0.9,"line_hashes":["67643414561346827047252582287335553368","161775868457229572254969846233468835126","300749777448919314626617997008976429146"]},"signature_version":"v1","source":"https://github.com/libgit2/libgit2/commit/3f7851eadca36a99627ad78cbe56a40d3776ed01","deprecated":false,"signature_type":"Line","id":"CVE-2020-12278-bc8b0a39","target":{"file":"tests/checkout/nasty.c"}},{"digest":{"length":635,"function_hash":"138464184776582813693965786405820629166"},"signature_version":"v1","source":"https://github.com/libgit2/libgit2/commit/3f7851eadca36a99627ad78cbe56a40d3776ed01","deprecated":false,"signature_type":"Function","id":"CVE-2020-12278-bf7ab8fe","target":{"file":"src/path.c","function":"verify_dotgit_ntfs"}},{"digest":{"length":344,"function_hash":"215952766853611671430221167949782745440"},"signature_version":"v1","source":"https://github.com/libgit2/libgit2/commit/e1832eb20a7089f6383cfce474f213157f5300cb","deprecated":false,"signature_type":"Function","id":"CVE-2020-12278-c12fb24b","target":{"file":"tests/path/dotgit.c","function":"test_path_dotgit__dotgit_modules_symlink"}},{"digest":{"threshold":0.9,"line_hashes":["207333267718056996405747804506618814446","232915964967517859136355871988975093200","206563144425427101112601160652327453230","278549392676235406755515526898783769056"]},"signature_version":"v1","source":"https://github.com/libgit2/libgit2/commit/3f7851eadca36a99627ad78cbe56a40d3776ed01","deprecated":false,"signature_type":"Line","id":"CVE-2020-12278-d524c03b","target":{"file":"src/path.c"}},{"digest":{"threshold":0.9,"line_hashes":["115313385144348768602035450890856830614","71630582082332557933362078827281385895","41060068646927360613742676298274082445","335105883863474486117359305112049561000"]},"signature_version":"v1","source":"https://github.com/libgit2/libgit2/commit/e1832eb20a7089f6383cfce474f213157f5300cb","deprecated":false,"signature_type":"Line","id":"CVE-2020-12278-f9a09ad1","target":{"file":"src/path.c"}}],"vanir_signatures_modified":"2026-05-18T10:46:43Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}