{"id":"USN-6678-1","summary":"libgit2 vulnerabilities","details":"It was discovered that libgit2 mishandled equivalent filenames on NTFS\npartitions. If a user or automated system were tricked into cloning a\nspecially crafted repository, an attacker could possibly use this issue to\nexecute arbitrary code. This issue only affected Ubuntu 16.04 LTS and\nUbuntu 18.04 LTS. (CVE-2020-12278, CVE-2020-12279)\n\nIt was discovered that libgit2 did not perform certificate checking by\ndefault. An attacker could possibly use this issue to perform a\nmachine-in-the-middle attack. This issue only affected Ubuntu 16.04 LTS,\nUbuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2023-22742)\n\nIt was discovered that libgit2 could be made to run into an infinite loop.\nAn attacker could possibly use this issue to cause a denial of service.\nThis issue only affected Ubuntu 23.10. (CVE-2024-24575)\n\nIt was discovered that libgit2 did not properly manage memory. An attacker\ncould possibly use this issue to cause a denial of service or execute\narbitrary code. (CVE-2024-24577)\n","modified":"2026-02-10T04:43:31Z","published":"2024-03-05T18:46:35Z","related":["UBUNTU-CVE-2020-12278","UBUNTU-CVE-2020-12279","UBUNTU-CVE-2023-22742","UBUNTU-CVE-2024-24577"],"upstream":["CVE-2020-12278","CVE-2020-12279","CVE-2023-22742","CVE-2024-24577","UBUNTU-CVE-2020-12278","UBUNTU-CVE-2020-12279","UBUNTU-CVE-2023-22742","UBUNTU-CVE-2024-24575","UBUNTU-CVE-2024-24577"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-6678-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2020-12278"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2020-12279"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-22742"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-24575"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-24577"}],"affected":[{"package":{"name":"libgit2","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/libgit2@0.24.1-2ubuntu0.2+esm2?arch=source&distro=esm-apps/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.24.1-2ubuntu0.2+esm2"}]}],"versions":["0.22.2-2","0.23.1-1","0.24.1-2","0.24.1-2ubuntu0.2","0.24.1-2ubuntu0.2+esm1"],"ecosystem_specific":{"binaries":[{"binary_version":"0.24.1-2ubuntu0.2+esm2","binary_name":"libgit2-24"},{"binary_version":"0.24.1-2ubuntu0.2+esm2","binary_name":"libgit2-dev"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-6678-1.json","cves_map":{"cves":[{"id":"CVE-2020-12278","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2020-12279","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2023-22742","severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2024-24577","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}],"ecosystem":"Ubuntu:Pro:16.04:LTS"}}},{"package":{"name":"libgit2","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/libgit2@0.26.0+dfsg.1-1.1ubuntu0.2+esm1?arch=source&distro=esm-apps/bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.26.0+dfsg.1-1.1ubuntu0.2+esm1"}]}],"versions":["0.25.1+really0.24.6-1","0.26.0+dfsg.1-1.1","0.26.0+dfsg.1-1.1build1","0.26.0+dfsg.1-1.1ubuntu0.2"],"ecosystem_specific":{"binaries":[{"binary_version":"0.26.0+dfsg.1-1.1ubuntu0.2+esm1","binary_name":"libgit2-26"},{"binary_version":"0.26.0+dfsg.1-1.1ubuntu0.2+esm1","binary_name":"libgit2-dev"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-6678-1.json","cves_map":{"cves":[{"id":"CVE-2020-12278","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2020-12279","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2023-22742","severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2024-24577","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}],"ecosystem":"Ubuntu:Pro:18.04:LTS"}}},{"package":{"name":"libgit2","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/libgit2@0.28.4+dfsg.1-2ubuntu0.1?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.28.4+dfsg.1-2ubuntu0.1"}]}],"versions":["0.27.7+dfsg.1-0.2build1","0.28.3+dfsg.1-1","0.28.3+dfsg.1-1ubuntu1","0.28.4+dfsg.1-2"],"ecosystem_specific":{"binaries":[{"binary_version":"0.28.4+dfsg.1-2ubuntu0.1","binary_name":"libgit2-28"},{"binary_version":"0.28.4+dfsg.1-2ubuntu0.1","binary_name":"libgit2-dev"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-6678-1.json","cves_map":{"cves":[{"id":"CVE-2023-22742","severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2024-24577","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}],"ecosystem":"Ubuntu:20.04:LTS"}}},{"package":{"name":"libgit2","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/libgit2@1.1.0+dfsg.1-4.1ubuntu0.1?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.1.0+dfsg.1-4.1ubuntu0.1"}]}],"versions":["1.1.0+dfsg.1-4","1.1.0+dfsg.1-4.1","1.1.0+dfsg.1-4.1build1"],"ecosystem_specific":{"binaries":[{"binary_version":"1.1.0+dfsg.1-4.1ubuntu0.1","binary_name":"libgit2-1.1"},{"binary_version":"1.1.0+dfsg.1-4.1ubuntu0.1","binary_name":"libgit2-dev"},{"binary_version":"1.1.0+dfsg.1-4.1ubuntu0.1","binary_name":"libgit2-fixtures"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-6678-1.json","cves_map":{"cves":[{"id":"CVE-2023-22742","severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2024-24577","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}],"ecosystem":"Ubuntu:22.04:LTS"}}}],"schema_version":"1.7.3"}