csaf_opensuse - opensuse-su-2025:15232-1

opensuse-su-2025:15232-1

Vulnerability from csaf_opensuse

Published

2025-07-03 00:00

Modified

2025-07-03 00:00

Summary

jgit-5.11.0-2.1 on GA media

Notes

Title of the patch

jgit-5.11.0-2.1 on GA media

Description of the patch

These are all security issues fixed in the jgit-5.11.0-2.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2025-15232

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "jgit-5.11.0-2.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the jgit-5.11.0-2.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2025-15232",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15232-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2023-4759 page",
        "url": "https://www.suse.com/security/cve/CVE-2023-4759/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-4949 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-4949/"
      }
    ],
    "title": "jgit-5.11.0-2.1 on GA media",
    "tracking": {
      "current_release_date": "2025-07-03T00:00:00Z",
      "generator": {
        "date": "2025-07-03T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2025:15232-1",
      "initial_release_date": "2025-07-03T00:00:00Z",
      "revision_history": [
        {
          "date": "2025-07-03T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jgit-5.11.0-2.1.aarch64",
                "product": {
                  "name": "jgit-5.11.0-2.1.aarch64",
                  "product_id": "jgit-5.11.0-2.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "jgit-javadoc-5.11.0-2.1.aarch64",
                "product": {
                  "name": "jgit-javadoc-5.11.0-2.1.aarch64",
                  "product_id": "jgit-javadoc-5.11.0-2.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jgit-5.11.0-2.1.ppc64le",
                "product": {
                  "name": "jgit-5.11.0-2.1.ppc64le",
                  "product_id": "jgit-5.11.0-2.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "jgit-javadoc-5.11.0-2.1.ppc64le",
                "product": {
                  "name": "jgit-javadoc-5.11.0-2.1.ppc64le",
                  "product_id": "jgit-javadoc-5.11.0-2.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jgit-5.11.0-2.1.s390x",
                "product": {
                  "name": "jgit-5.11.0-2.1.s390x",
                  "product_id": "jgit-5.11.0-2.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "jgit-javadoc-5.11.0-2.1.s390x",
                "product": {
                  "name": "jgit-javadoc-5.11.0-2.1.s390x",
                  "product_id": "jgit-javadoc-5.11.0-2.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jgit-5.11.0-2.1.x86_64",
                "product": {
                  "name": "jgit-5.11.0-2.1.x86_64",
                  "product_id": "jgit-5.11.0-2.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "jgit-javadoc-5.11.0-2.1.x86_64",
                "product": {
                  "name": "jgit-javadoc-5.11.0-2.1.x86_64",
                  "product_id": "jgit-javadoc-5.11.0-2.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jgit-5.11.0-2.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jgit-5.11.0-2.1.aarch64"
        },
        "product_reference": "jgit-5.11.0-2.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jgit-5.11.0-2.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jgit-5.11.0-2.1.ppc64le"
        },
        "product_reference": "jgit-5.11.0-2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jgit-5.11.0-2.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jgit-5.11.0-2.1.s390x"
        },
        "product_reference": "jgit-5.11.0-2.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jgit-5.11.0-2.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jgit-5.11.0-2.1.x86_64"
        },
        "product_reference": "jgit-5.11.0-2.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jgit-javadoc-5.11.0-2.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jgit-javadoc-5.11.0-2.1.aarch64"
        },
        "product_reference": "jgit-javadoc-5.11.0-2.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jgit-javadoc-5.11.0-2.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jgit-javadoc-5.11.0-2.1.ppc64le"
        },
        "product_reference": "jgit-javadoc-5.11.0-2.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jgit-javadoc-5.11.0-2.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jgit-javadoc-5.11.0-2.1.s390x"
        },
        "product_reference": "jgit-javadoc-5.11.0-2.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jgit-javadoc-5.11.0-2.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:jgit-javadoc-5.11.0-2.1.x86_64"
        },
        "product_reference": "jgit-javadoc-5.11.0-2.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-4759",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2023-4759"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Arbitrary File Overwrite in Eclipse JGit \u003c= 6.6.0\n\nIn Eclipse JGit, all versions \u003c= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive filesystem, or when a checkout from a clone of such a repository is performed on a case-insensitive filesystem.\n\nThis can happen on checkout (DirCacheCheckout), merge (ResolveMerger  via its WorkingTreeUpdater), pull (PullCommand  using merge), and when applying a patch (PatchApplier). This can be exploited for remote code execution (RCE), for instance if the file written outside the working tree is a git filter that gets executed on a subsequent git command.\n\nThe issue occurs only on case-insensitive filesystems, like the default filesystems on Windows and macOS. The user performing the clone or checkout must have the rights to create symbolic links for the problem to occur, and symbolic links must be enabled in the git configuration.\n\nSetting git configuration option core.symlinks = false  before checking out avoids the problem.\n\nThe issue was fixed in Eclipse JGit version 6.6.1.202309021850-r and 6.7.0.202309050840-r, available via  Maven Central https://repo1.maven.org/maven2/org/eclipse/jgit/   and  repo.eclipse.org https://repo.eclipse.org/content/repositories/jgit-releases/ . A backport is available in 5.13.3 starting from  5.13.3.202401111512-r.\n\n\nThe JGit maintainers would like to thank RyotaK for finding and reporting this issue.\n\n\n\n",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:jgit-5.11.0-2.1.aarch64",
          "openSUSE Tumbleweed:jgit-5.11.0-2.1.ppc64le",
          "openSUSE Tumbleweed:jgit-5.11.0-2.1.s390x",
          "openSUSE Tumbleweed:jgit-5.11.0-2.1.x86_64",
          "openSUSE Tumbleweed:jgit-javadoc-5.11.0-2.1.aarch64",
          "openSUSE Tumbleweed:jgit-javadoc-5.11.0-2.1.ppc64le",
          "openSUSE Tumbleweed:jgit-javadoc-5.11.0-2.1.s390x",
          "openSUSE Tumbleweed:jgit-javadoc-5.11.0-2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2023-4759",
          "url": "https://www.suse.com/security/cve/CVE-2023-4759"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1215298 for CVE-2023-4759",
          "url": "https://bugzilla.suse.com/1215298"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:jgit-5.11.0-2.1.aarch64",
            "openSUSE Tumbleweed:jgit-5.11.0-2.1.ppc64le",
            "openSUSE Tumbleweed:jgit-5.11.0-2.1.s390x",
            "openSUSE Tumbleweed:jgit-5.11.0-2.1.x86_64",
            "openSUSE Tumbleweed:jgit-javadoc-5.11.0-2.1.aarch64",
            "openSUSE Tumbleweed:jgit-javadoc-5.11.0-2.1.ppc64le",
            "openSUSE Tumbleweed:jgit-javadoc-5.11.0-2.1.s390x",
            "openSUSE Tumbleweed:jgit-javadoc-5.11.0-2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:jgit-5.11.0-2.1.aarch64",
            "openSUSE Tumbleweed:jgit-5.11.0-2.1.ppc64le",
            "openSUSE Tumbleweed:jgit-5.11.0-2.1.s390x",
            "openSUSE Tumbleweed:jgit-5.11.0-2.1.x86_64",
            "openSUSE Tumbleweed:jgit-javadoc-5.11.0-2.1.aarch64",
            "openSUSE Tumbleweed:jgit-javadoc-5.11.0-2.1.ppc64le",
            "openSUSE Tumbleweed:jgit-javadoc-5.11.0-2.1.s390x",
            "openSUSE Tumbleweed:jgit-javadoc-5.11.0-2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-07-03T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2023-4759"
    },
    {
      "cve": "CVE-2025-4949",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-4949"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:jgit-5.11.0-2.1.aarch64",
          "openSUSE Tumbleweed:jgit-5.11.0-2.1.ppc64le",
          "openSUSE Tumbleweed:jgit-5.11.0-2.1.s390x",
          "openSUSE Tumbleweed:jgit-5.11.0-2.1.x86_64",
          "openSUSE Tumbleweed:jgit-javadoc-5.11.0-2.1.aarch64",
          "openSUSE Tumbleweed:jgit-javadoc-5.11.0-2.1.ppc64le",
          "openSUSE Tumbleweed:jgit-javadoc-5.11.0-2.1.s390x",
          "openSUSE Tumbleweed:jgit-javadoc-5.11.0-2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-4949",
          "url": "https://www.suse.com/security/cve/CVE-2025-4949"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1243647 for CVE-2025-4949",
          "url": "https://bugzilla.suse.com/1243647"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:jgit-5.11.0-2.1.aarch64",
            "openSUSE Tumbleweed:jgit-5.11.0-2.1.ppc64le",
            "openSUSE Tumbleweed:jgit-5.11.0-2.1.s390x",
            "openSUSE Tumbleweed:jgit-5.11.0-2.1.x86_64",
            "openSUSE Tumbleweed:jgit-javadoc-5.11.0-2.1.aarch64",
            "openSUSE Tumbleweed:jgit-javadoc-5.11.0-2.1.ppc64le",
            "openSUSE Tumbleweed:jgit-javadoc-5.11.0-2.1.s390x",
            "openSUSE Tumbleweed:jgit-javadoc-5.11.0-2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:jgit-5.11.0-2.1.aarch64",
            "openSUSE Tumbleweed:jgit-5.11.0-2.1.ppc64le",
            "openSUSE Tumbleweed:jgit-5.11.0-2.1.s390x",
            "openSUSE Tumbleweed:jgit-5.11.0-2.1.x86_64",
            "openSUSE Tumbleweed:jgit-javadoc-5.11.0-2.1.aarch64",
            "openSUSE Tumbleweed:jgit-javadoc-5.11.0-2.1.ppc64le",
            "openSUSE Tumbleweed:jgit-javadoc-5.11.0-2.1.s390x",
            "openSUSE Tumbleweed:jgit-javadoc-5.11.0-2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-07-03T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-4949"
    }
  ]
}

CVE-2023-4759 (GCVE-0-2023-4759)

Vulnerability from cvelistv5

Published

2023-09-12 09:12

Modified

2024-08-02 07:37

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-59 - Improper Link Resolution Before File Access ('Link Following')
CWE-178 - Improper Handling of Case Sensitivity

Summary

Arbitrary File Overwrite in Eclipse JGit <= 6.6.0 In Eclipse JGit, all versions <= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive filesystem, or when a checkout from a clone of such a repository is performed on a case-insensitive filesystem. This can happen on checkout (DirCacheCheckout), merge (ResolveMerger via its WorkingTreeUpdater), pull (PullCommand using merge), and when applying a patch (PatchApplier). This can be exploited for remote code execution (RCE), for instance if the file written outside the working tree is a git filter that gets executed on a subsequent git command. The issue occurs only on case-insensitive filesystems, like the default filesystems on Windows and macOS. The user performing the clone or checkout must have the rights to create symbolic links for the problem to occur, and symbolic links must be enabled in the git configuration. Setting git configuration option core.symlinks = false before checking out avoids the problem. The issue was fixed in Eclipse JGit version 6.6.1.202309021850-r and 6.7.0.202309050840-r, available via Maven Central https://repo1.maven.org/maven2/org/eclipse/jgit/ and repo.eclipse.org https://repo.eclipse.org/content/repositories/jgit-releases/ . A backport is available in 5.13.3 starting from 5.13.3.202401111512-r. The JGit maintainers would like to thank RyotaK for finding and reporting this issue.

References

►

URL

Tags

	https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/11
	https://projects.eclipse.org/projects/technology.jgit/releases/6.6.1
	https://git.eclipse.org/c/jgit/jgit.git/commit/?id=9072103f3b3cf64dd12ad2949836ab98f62dabf1

Impacted products

	Vendor	Product	Version
	Eclipse Foundation	Eclipse JGit	Version: 0.0.0 ≤ 6.6.0.202305301015-r

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unaffected",
            "product": "jgit",
            "vendor": "eclipse",
            "versions": [
              {
                "lessThanOrEqual": "6.6.0.202305301015-r",
                "status": "affected",
                "version": "0",
                "versionType": "semver"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:eclipse:jgit:5.13.3.202401111512-r:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unaffected",
            "product": "jgit",
            "vendor": "eclipse",
            "versions": [
              {
                "status": "unaffected",
                "version": "5.13.3.202401111512-r"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-4759",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-19T03:55:38.083883Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-19T13:51:38.023Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T07:37:59.574Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/11"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://projects.eclipse.org/projects/technology.jgit/releases/6.6.1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.eclipse.org/c/jgit/jgit.git/commit/?id=9072103f3b3cf64dd12ad2949836ab98f62dabf1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://git.eclipse.org/c/jgit/jgit.git/",
          "defaultStatus": "unaffected",
          "product": "Eclipse JGit",
          "vendor": "Eclipse Foundation",
          "versions": [
            {
              "lessThanOrEqual": "6.6.0.202305301015-r",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "  5.13.3.202401111512-r"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "RyotaK"
        }
      ],
      "datePublic": "2023-09-12T10:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eArbitrary File Overwrite in Eclipse JGit \u0026lt;= 6.6.0\u003c/p\u003e\u003cp\u003eIn Eclipse JGit, all versions \u0026lt;= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive filesystem, or when a checkout from a clone of such a repository is performed on a case-insensitive filesystem.\u003c/p\u003e\u003cp\u003eThis can happen on checkout (\u003ccode\u003eDirCacheCheckout\u003c/code\u003e), merge (\u003ccode\u003eResolveMerger\u003c/code\u003e\u0026nbsp;via its \u003ccode\u003eWorkingTreeUpdater\u003c/code\u003e), pull (\u003ccode\u003ePullCommand\u003c/code\u003e\u0026nbsp;using merge), and when applying a patch (\u003ccode\u003ePatchApplier\u003c/code\u003e). This can be exploited for remote code execution (RCE), for instance if the file written outside the working tree is a git filter that gets executed on a subsequent git command.\u003c/p\u003e\u003cp\u003eThe issue occurs only on case-\u003cstrong\u003ein\u003c/strong\u003esensitive filesystems, like the default filesystems on Windows and macOS. The user performing the clone or checkout must have the rights to create symbolic links for the problem to occur, and symbolic links must be enabled in the git configuration.\u003c/p\u003e\u003cp\u003eSetting git configuration option \u003ccode\u003ecore.symlinks = false\u003c/code\u003e\u0026nbsp;before checking out avoids the problem.\u003c/p\u003e\u003cp\u003eThe issue was fixed in Eclipse JGit version 6.6.1.202309021850-r and 6.7.0.202309050840-r, available via \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://repo1.maven.org/maven2/org/eclipse/jgit/\"\u003eMaven Central\u003c/a\u003e\u0026nbsp;and \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://repo.eclipse.org/content/repositories/jgit-releases/\"\u003erepo.eclipse.org\u003c/a\u003e. A backport is available in 5.13.3 starting from  5.13.3.202401111512-r.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThe JGit maintainers would like to thank RyotaK for finding and reporting this issue.\u003cbr\u003e\u003c/p\u003e\u003cbr\u003e"
            }
          ],
          "value": "Arbitrary File Overwrite in Eclipse JGit \u003c= 6.6.0\n\nIn Eclipse JGit, all versions \u003c= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive filesystem, or when a checkout from a clone of such a repository is performed on a case-insensitive filesystem.\n\nThis can happen on checkout (DirCacheCheckout), merge (ResolveMerger\u00a0via its WorkingTreeUpdater), pull (PullCommand\u00a0using merge), and when applying a patch (PatchApplier). This can be exploited for remote code execution (RCE), for instance if the file written outside the working tree is a git filter that gets executed on a subsequent git command.\n\nThe issue occurs only on case-insensitive filesystems, like the default filesystems on Windows and macOS. The user performing the clone or checkout must have the rights to create symbolic links for the problem to occur, and symbolic links must be enabled in the git configuration.\n\nSetting git configuration option core.symlinks = false\u00a0before checking out avoids the problem.\n\nThe issue was fixed in Eclipse JGit version 6.6.1.202309021850-r and 6.7.0.202309050840-r, available via  Maven Central https://repo1.maven.org/maven2/org/eclipse/jgit/ \u00a0and  repo.eclipse.org https://repo.eclipse.org/content/repositories/jgit-releases/ . A backport is available in 5.13.3 starting from  5.13.3.202401111512-r.\n\n\nThe JGit maintainers would like to thank RyotaK for finding and reporting this issue.\n\n\n\n"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-132",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-132 Symlink Attack"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-59",
              "description": "CWE-59 Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-178",
              "description": "CWE-178 Improper Handling of Case Sensitivity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-01-12T15:21:24.101Z",
        "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
        "shortName": "eclipse"
      },
      "references": [
        {
          "url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/11"
        },
        {
          "url": "https://projects.eclipse.org/projects/technology.jgit/releases/6.6.1"
        },
        {
          "url": "https://git.eclipse.org/c/jgit/jgit.git/commit/?id=9072103f3b3cf64dd12ad2949836ab98f62dabf1"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Improper handling of case insensitive filesystems in Eclipse JGit allows arbitrary file write",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eSetting git configuration option \u003ccode\u003ecore.symlinks = false\u003c/code\u003e\u0026nbsp;before checking out avoids the problem.\u003c/p\u003e"
            }
          ],
          "value": "Setting git configuration option core.symlinks = false\u00a0before checking out avoids the problem.\n\n"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
    "assignerShortName": "eclipse",
    "cveId": "CVE-2023-4759",
    "datePublished": "2023-09-12T09:12:10.254Z",
    "dateReserved": "2023-09-04T16:06:00.689Z",
    "dateUpdated": "2024-08-02T07:37:59.574Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-4949 (GCVE-0-2025-4949)

Vulnerability from cvelistv5

Published

2025-05-21 06:47

Modified

2025-05-23 07:00

Severity ?

6.8 (Medium) - CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/S:N/AU:Y/R:U/V:D/RE:L/U:Green

CWE

CWE-611 - Improper Restriction of XML External Entity Reference
CWE-827 - Improper Control of Document Type Definition

Summary

In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.

References

►

URL

Tags

	https://projects.eclipse.org/projects/technology.jgit/releases/7.2.1	release-notes
	https://projects.eclipse.org/projects/technology.jgit/releases/7.1.1	release-notes
	https://projects.eclipse.org/projects/technology.jgit/releases/7.0.1	release-notes
	https://projects.eclipse.org/projects/technology.jgit/releases/6.10.1	release-notes
	https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/281	issue-tracking
	https://gitlab.eclipse.org/security/cve-assignement/-/issues/64	issue-tracking

Impacted products

Vendor

Product

Version

►

Eclipse JGit

Version: 7.2.0
Version: 7.1.0
Version: 7.0.0
Version: 0

Eclipse JGit

Version: 7.2.0
Version: 7.1.0
Version: 7.0.0
Version: 0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-4949",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-21T10:22:48.944398Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-21T10:24:58.815Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/281"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://projects.eclipse.org",
          "defaultStatus": "unaffected",
          "product": "Eclipse JGit",
          "repo": "https://github.com/eclipse-jgit/jgit",
          "vendor": "Eclipse JGit",
          "versions": [
            {
              "lessThan": "7.2.1.202505142326-r",
              "status": "affected",
              "version": "7.2.0",
              "versionType": "osgi"
            },
            {
              "lessThan": "7.1.1.202505221757-r",
              "status": "affected",
              "version": "7.1.0",
              "versionType": "osgi"
            },
            {
              "lessThan": "7.0.1.202505221510-r",
              "status": "affected",
              "version": "7.0.0",
              "versionType": "osgi"
            },
            {
              "lessThan": "6.10.1.202505221210-r",
              "status": "affected",
              "version": "0",
              "versionType": "osgi"
            }
          ]
        },
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "pkg:maven/org.eclipse.jgit/org.eclipse.jgit",
          "product": "Eclipse JGit",
          "repo": "https://github.com/eclipse-jgit/jgit",
          "vendor": "Eclipse JGit",
          "versions": [
            {
              "lessThan": "7.2.1.202505142326-r",
              "status": "affected",
              "version": "7.2.0",
              "versionType": "osgi"
            },
            {
              "lessThan": "7.1.1.202505221757-r",
              "status": "affected",
              "version": "7.1.0",
              "versionType": "osgi"
            },
            {
              "lessThan": "7.0.1.202505221510-r",
              "status": "affected",
              "version": "7.0.0",
              "versionType": "osgi"
            },
            {
              "lessThan": "6.10.1.202505221210-r",
              "status": "affected",
              "version": "0",
              "versionType": "osgi"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Simon Gerst (intrigus-lgtm) https://intrigus.org"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In Eclipse JGit versions 7.2.0.202503040940-r and older, the \u003ccode\u003eManifestParser\u003c/code\u003e class used by the \u003ccode\u003erepo\u003c/code\u003e command and the \u003ccode\u003eAmazonS3\u003c/code\u003e class used to implement the experimental \u003ccode\u003eamazons3\u003c/code\u003e git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues."
            }
          ],
          "value": "In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-201",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-201 Serialized Data External Linking"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "USER",
            "Safety": "NEGLIGIBLE",
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "providerUrgency": "GREEN",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "valueDensity": "DIFFUSE",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/S:N/AU:Y/R:U/V:D/RE:L/U:Green",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "LOW"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL."
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-611",
              "description": "CWE-611 Improper Restriction of XML External Entity Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-827",
              "description": "CWE-827 Improper Control of Document Type Definition",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-23T07:00:45.737Z",
        "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
        "shortName": "eclipse"
      },
      "references": [
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://projects.eclipse.org/projects/technology.jgit/releases/7.2.1"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://projects.eclipse.org/projects/technology.jgit/releases/7.1.1"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://projects.eclipse.org/projects/technology.jgit/releases/7.0.1"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://projects.eclipse.org/projects/technology.jgit/releases/6.10.1"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/281"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/64"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "XXE vulnerability in Eclipse JGit",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
    "assignerShortName": "eclipse",
    "cveId": "CVE-2025-4949",
    "datePublished": "2025-05-21T06:47:19.777Z",
    "dateReserved": "2025-05-19T07:02:22.381Z",
    "dateUpdated": "2025-05-23T07:00:45.737Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

opensuse-su-2025:15232-1

Vulnerability from csaf_opensuse

CVE-2023-4759 (GCVE-0-2023-4759)

Vulnerability from cvelistv5

CVE-2025-4949 (GCVE-0-2025-4949)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature