CVE-2020-12278 – This vulnerability in libgit2 allows remote cod... (How to Fix)

Q: What is the severity of CVE-2020-12278?

CVE-2020-12278 has a CVSS score of 9.8 (CRITICAL). This vulnerability in libgit2 allows remote code execution when cloning repositories from malicious sources. It affects applications using vulnerable libgit2 versions due to mishandling of NTFS Alternate Data Streams in path names. Users of git clients or services built on affected libgit2 versions are at risk.

📋 TL;DR

This vulnerability in libgit2 allows remote code execution when cloning repositories from malicious sources. It affects applications using vulnerable libgit2 versions due to mishandling of NTFS Alternate Data Streams in path names. Users of git clients or services built on affected libgit2 versions are at risk.

💻 Affected Systems

Products:

libgit2
applications using libgit2 library

Versions: libgit2 versions before 0.28.4 and 0.9x before 0.99.0

Operating Systems: Windows (primary), potentially other systems with NTFS-like features

Default Config Vulnerable: ⚠️ Yes

Notes: Primarily affects Windows systems due to NTFS-specific feature, but other platforms using libgit2 with similar file system behaviors may be vulnerable.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Libgit2 by Libgit2

View all CVEs affecting Libgit2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attacker achieves full system compromise through malicious repository clone, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Attackers execute arbitrary code on systems cloning repositories from untrusted sources, compromising the git client application and potentially the underlying system.

🟢

If Mitigated

With proper network controls and repository source validation, impact is limited to denial of service or local file system manipulation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user to clone a malicious repository. Similar to CVE-2019-1352 with known exploitation patterns.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: libgit2 v0.28.4 or v0.99.0

Vendor Advisory: https://github.com/git/git/security/advisories/GHSA-5wph-8frv-58vj

Restart Required: Yes

Instructions:

1. Update libgit2 to version 0.28.4 or 0.99.0. 2. Rebuild applications using libgit2. 3. Restart affected services. 4. Verify git clients using updated library.

🔧 Temporary Workarounds

Restrict Repository Sources

all

Only clone repositories from trusted, verified sources. Implement repository source validation.

Network Segmentation

all

Isolate git operations to restricted network segments with limited system access.

🧯 If You Can't Patch

Implement strict repository source whitelisting and user education about cloning risks.
Deploy application control to prevent execution of unauthorized binaries from git operations.

🔍 How to Verify

Check if Vulnerable:

Check libgit2 version in applications or system libraries. Vulnerable if version < 0.28.4 or 0.9x < 0.99.0.

Check Version:

ldd /path/to/application | grep libgit2 or check application documentation for libgit2 version

Verify Fix Applied:

Confirm libgit2 version is 0.28.4 or higher, or 0.99.0 or higher for 0.9x branch.

📡 Detection & Monitoring

Log Indicators:

Unusual git clone operations from unknown sources
Process execution from git client directories

Network Indicators:

Git clone requests to untrusted repositories
Unusual outbound connections after git operations

SIEM Query:

process_name:git.exe AND command_line:*clone* AND NOT (source_ip IN trusted_ips)

📊 Metadata

CVE ID: CVE-2020-12278

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-706

Published: April 27, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/git/git/security/advisories/GHSA-5wph-8frv-58vj Third Party Advisory
https://github.com/libgit2/libgit2/commit/3f7851eadca36a99627ad78cbe56a40d3776ed01 Patch,Third Party Advisory
https://github.com/libgit2/libgit2/commit/e1832eb20a7089f6383cfce474f213157f5300cb Patch,Third Party Advisory
https://github.com/libgit2/libgit2/releases/tag/v0.28.4 Release Notes,Third Party Advisory
https://github.com/libgit2/libgit2/releases/tag/v0.99.0 Release Notes,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/03/msg00031.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/02/msg00034.html
https://github.com/git/git/security/advisories/GHSA-5wph-8frv-58vj Third Party Advisory
https://github.com/libgit2/libgit2/commit/3f7851eadca36a99627ad78cbe56a40d3776ed01 Patch,Third Party Advisory
https://github.com/libgit2/libgit2/commit/e1832eb20a7089f6383cfce474f213157f5300cb Patch,Third Party Advisory
https://github.com/libgit2/libgit2/releases/tag/v0.28.4 Release Notes,Third Party Advisory
https://github.com/libgit2/libgit2/releases/tag/v0.99.0 Release Notes,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/03/msg00031.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/02/msg00034.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-12278, you might also want to check these: