org.eclipse.jgit:org.eclipse.jgit 4.9.3.201807311005-r vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.eclipse.jgit:org.eclipse.jgit package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M XML External Entity (XXE) Injection Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via the `ManifestParser` and `AmazonS3` classes which use a SAXParser to parse XML files without properly configuring it to disable external entity processing. An attacker can access sensitive information or disrupt service by exploiting improperly parsed XML files. How to fix XML External Entity (XXE) Injection? Upgrade `org.eclipse.jgit:org.eclipse.jgit` to version 6.10.1.202505221210-r, 7.0.1.202505221510-r, 7.1.1.202505221757-r, 7.2.1.202505142326-r or higher.	[,6.10.1.202505221210-r)[7.0.0.202409031743-r,7.0.1.202505221510-r)[7.1.0.202411261347-r,7.1.1.202505221757-r)[7.2.0.202503040940-r,7.2.1.202505142326-r)
H Improper Handling of Case Sensitivity Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity via the `DirCacheCheckout`, `ResolveMerger` (via its `WorkingTreeUpdater`), `PullCommand` using merge, and when applying a patch (`PatchApplier`). An attacker can write a file to locations outside the working tree on case-insensitive filesystems. This can lead to remote code execution if the written file is a git filter that gets executed on a subsequent git command. Note: This is only exploitable if the user performing the clone or checkout has the rights to create symbolic links, and symbolic links are enabled in the git configuration. How to fix Improper Handling of Case Sensitivity? Upgrade `org.eclipse.jgit:org.eclipse.jgit` to version 5.13.3.202401111512-r, 6.6.1.202309021850-r or higher.	[,5.13.3.202401111512-r)[6.0.0,6.6.1.202309021850-r)

Vulnerability

Vulnerable Version

XML External Entity (XXE) Injection

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via the ManifestParser and AmazonS3 classes which use a SAXParser to parse XML files without properly configuring it to disable external entity processing. An attacker can access sensitive information or disrupt service by exploiting improperly parsed XML files.

How to fix XML External Entity (XXE) Injection?

Upgrade org.eclipse.jgit:org.eclipse.jgit to version 6.10.1.202505221210-r, 7.0.1.202505221510-r, 7.1.1.202505221757-r, 7.2.1.202505142326-r or higher.

[,6.10.1.202505221210-r)[7.0.0.202409031743-r,7.0.1.202505221510-r)[7.1.0.202411261347-r,7.1.1.202505221757-r)[7.2.0.202503040940-r,7.2.1.202505142326-r)

Improper Handling of Case Sensitivity

Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity via the DirCacheCheckout, ResolveMerger (via its WorkingTreeUpdater), PullCommand using merge, and when applying a patch (PatchApplier). An attacker can write a file to locations outside the working tree on case-insensitive filesystems. This can lead to remote code execution if the written file is a git filter that gets executed on a subsequent git command.

Note: This is only exploitable if the user performing the clone or checkout has the rights to create symbolic links, and symbolic links are enabled in the git configuration.

How to fix Improper Handling of Case Sensitivity?

Upgrade org.eclipse.jgit:org.eclipse.jgit to version 5.13.3.202401111512-r, 6.6.1.202309021850-r or higher.

[,5.13.3.202401111512-r)[6.0.0,6.6.1.202309021850-r)

org.eclipse.jgit:org.eclipse.jgit@4.9.3.201807311005-r vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?