Skip to content

x/vulndb: potential Go vuln in github.com/git/git: CVE-2020-12279 #2272

New issue
New issue
Closed
Closed
x/vulndb: potential Go vuln in github.com/git/git: CVE-2020-12279#2272
Labels
excluded: LEGACY_FALSE_POSITIVE(DO NOT USE) Vulnerability marked as false positive before we introduced the triage process
@tatianab

Description

@tatianab
tatianab
opened on Nov 8, 2023

CVE-2020-12279 references github.com/git/git, which may be a Go module.

Description:
An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. checkout.c mishandles equivalent filenames that exist because of NTFS short names. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1353.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/git/git
      vulnerable_at: 2.42.1+incompatible
      packages:
        - package: n/a
cves:
    - CVE-2020-12279
references:
    - web: https://github.com/libgit2/libgit2/releases/tag/v0.99.0
    - web: https://github.com/libgit2/libgit2/releases/tag/v0.28.4
    - advisory: https://github.com/git/git/security/advisories/GHSA-589j-mmg9-733v
    - fix: https://github.com/libgit2/libgit2/commit/64c612cc3e25eff5fb02c59ef5a66ba7a14751e4
    - web: https://lists.debian.org/debian-lts-announce/2022/03/msg00031.html
    - web: https://lists.debian.org/debian-lts-announce/2023/02/msg00034.html

Metadata

Metadata

Assignees

No one assigned

    Labels

    excluded: LEGACY_FALSE_POSITIVE(DO NOT USE) Vulnerability marked as false positive before we introduced the triage process

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions