9.8

CVE-2020-12278

An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. path.c mishandles equivalent filenames that exist because of NTFS Alternate Data Streams. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1352.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Libgit2Libgit2 Version < 0.28.4
DebianDebian Linux Version9.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 5.11% 0.913
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE-706 Use of Incorrectly-Resolved Name or Reference

The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.

https://lists.debian.org/debian-lts-announce/2022/03/msg00031.html
Third Party Advisory
Mailing List
https://github.com/git/git/security/advisories/GHSA-5wph-8frv-58vj
Third Party Advisory
https://github.com/libgit2/libgit2/commit/3f7851eadca36a99627ad78cbe56a40d3776ed01
Patch
Third Party Advisory
https://github.com/libgit2/libgit2/commit/e1832eb20a7089f6383cfce474f213157f5300cb
Patch
Third Party Advisory
https://github.com/libgit2/libgit2/releases/tag/v0.28.4
Third Party Advisory
Release Notes
https://github.com/libgit2/libgit2/releases/tag/v0.99.0
Third Party Advisory
Release Notes
https://lists.debian.org/debian-lts-announce/2023/02/msg00034.html