org.eclipse.jgit:org.eclipse.jgit 3.4.2.201412180340-r vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.eclipse.jgit:org.eclipse.jgit package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M XML External Entity (XXE) Injection Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via the `ManifestParser` and `AmazonS3` classes which use a SAXParser to parse XML files without properly configuring it to disable external entity processing. An attacker can access sensitive information or disrupt service by exploiting improperly parsed XML files. How to fix XML External Entity (XXE) Injection? Upgrade `org.eclipse.jgit:org.eclipse.jgit` to version 6.10.1.202505221210-r, 7.0.1.202505221510-r, 7.1.1.202505221757-r, 7.2.1.202505142326-r or higher.	[,6.10.1.202505221210-r)[7.0.0.202409031743-r,7.0.1.202505221510-r)[7.1.0.202411261347-r,7.1.1.202505221757-r)[7.2.0.202503040940-r,7.2.1.202505142326-r)
H Improper Handling of Case Sensitivity Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity via the `DirCacheCheckout`, `ResolveMerger` (via its `WorkingTreeUpdater`), `PullCommand` using merge, and when applying a patch (`PatchApplier`). An attacker can write a file to locations outside the working tree on case-insensitive filesystems. This can lead to remote code execution if the written file is a git filter that gets executed on a subsequent git command. Note: This is only exploitable if the user performing the clone or checkout has the rights to create symbolic links, and symbolic links are enabled in the git configuration. How to fix Improper Handling of Case Sensitivity? Upgrade `org.eclipse.jgit:org.eclipse.jgit` to version 5.13.3.202401111512-r, 6.6.1.202309021850-r or higher.	[,5.13.3.202401111512-r)[6.0.0,6.6.1.202309021850-r)
C Improper Input Validation Affected versions of this package are vulnerable to Improper Input Validation. Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem. How to fix Improper Input Validation? Upgrade `org.eclipse.jgit:org.eclipse.jgit` to version 3.5.3.201412180710-r or higher.	[,3.5.3.201412180710-r)

Vulnerability

Vulnerable Version

XML External Entity (XXE) Injection

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via the ManifestParser and AmazonS3 classes which use a SAXParser to parse XML files without properly configuring it to disable external entity processing. An attacker can access sensitive information or disrupt service by exploiting improperly parsed XML files.

How to fix XML External Entity (XXE) Injection?

Upgrade org.eclipse.jgit:org.eclipse.jgit to version 6.10.1.202505221210-r, 7.0.1.202505221510-r, 7.1.1.202505221757-r, 7.2.1.202505142326-r or higher.

[,6.10.1.202505221210-r)[7.0.0.202409031743-r,7.0.1.202505221510-r)[7.1.0.202411261347-r,7.1.1.202505221757-r)[7.2.0.202503040940-r,7.2.1.202505142326-r)

Improper Handling of Case Sensitivity

Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity via the DirCacheCheckout, ResolveMerger (via its WorkingTreeUpdater), PullCommand using merge, and when applying a patch (PatchApplier). An attacker can write a file to locations outside the working tree on case-insensitive filesystems. This can lead to remote code execution if the written file is a git filter that gets executed on a subsequent git command.

Note: This is only exploitable if the user performing the clone or checkout has the rights to create symbolic links, and symbolic links are enabled in the git configuration.

How to fix Improper Handling of Case Sensitivity?

Upgrade org.eclipse.jgit:org.eclipse.jgit to version 5.13.3.202401111512-r, 6.6.1.202309021850-r or higher.

[,5.13.3.202401111512-r)[6.0.0,6.6.1.202309021850-r)

Improper Input Validation

Affected versions of this package are vulnerable to Improper Input Validation. Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.

How to fix Improper Input Validation?

Upgrade org.eclipse.jgit:org.eclipse.jgit to version 3.5.3.201412180710-r or higher.

[,3.5.3.201412180710-r)

org.eclipse.jgit:org.eclipse.jgit@3.4.2.201412180340-r vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?