Improper handling of case insensitive filesystems in Eclipse JGit allows arbitrary file write
CVE-2023-4759

8.8HIGH

Key Information:

Vendor: Eclipse Foundation
Status: Eclipse Jgit
Vendor: CVE Published:; 12 September 2023

🔔 Create Eclipse Foundation Vulnerability Alert

What is CVE-2023-4759?

A vulnerability in Eclipse JGit allows for an arbitrary file overwrite through symbolic links in specially crafted git repositories. When cloned or checked out on case-insensitive filesystems like those on Windows or macOS, this exploitation can permit writing files outside the working tree. This may lead to remote code execution if malicious files are executed in subsequent git operations. Users must have symbolic link creation rights for the vulnerability to be exploited. It is recommended to set the git configuration option 'core.symlinks' to false to mitigate the risk.

Affected Version(s)

Eclipse JGit 0.0.0 <= 6.6.0.202305301015-r

Eclipse JGit 5.13.3.202401111512-r >= 5.13.3.202401111512-r

References

https://gitlab.eclipse.org/security/vulnerability-reports...

https://projects.eclipse.org/projects/technology.jgit/rel...

https://git.eclipse.org/c/jgit/jgit.git/commit/?id=907210...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 12, 2023
Vulnerability Reserved
Sep 4, 2023

Credit

RyotaK