Link Following Affecting eap7-resteasy-cdi package, versions <0:3.15.9-1.Final_redhat_00001.1.el8eap


Severity

Recommended
medium

Based on Red Hat Enterprise Linux security rating.

Threat Intelligence

EPSS
0.2% (59th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RHEL8-EAP7RESTEASYCDI-6231525
  • published7 Feb 2024
  • disclosed12 Sept 2023

Introduced: 12 Sep 2023

CVE-2023-4759  (opens in a new tab)
CWE-59  (opens in a new tab)
CWE-178  (opens in a new tab)

How to fix?

Upgrade RHEL:8 eap7-resteasy-cdi to version 0:3.15.9-1.Final_redhat_00001.1.el8eap or higher.
This issue was patched in RHSA-2024:0711.

NVD Description

Note: Versions mentioned in the description apply only to the upstream eap7-resteasy-cdi package and not the eap7-resteasy-cdi package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

Arbitrary File Overwrite in Eclipse JGit <= 6.6.0

In Eclipse JGit, all versions <= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive filesystem, or when a checkout from a clone of such a repository is performed on a case-insensitive filesystem.

This can happen on checkout (DirCacheCheckout), merge (ResolveMerger via its WorkingTreeUpdater), pull (PullCommand using merge), and when applying a patch (PatchApplier). This can be exploited for remote code execution (RCE), for instance if the file written outside the working tree is a git filter that gets executed on a subsequent git command.

The issue occurs only on case-insensitive filesystems, like the default filesystems on Windows and macOS. The user performing the clone or checkout must have the rights to create symbolic links for the problem to occur, and symbolic links must be enabled in the git configuration.

Setting git configuration option core.symlinks = false before checking out avoids the problem.

The issue was fixed in Eclipse JGit version 6.6.1.202309021850-r and 6.7.0.202309050840-r, available via Maven Central https://repo1.maven.org/maven2/org/eclipse/jgit/  and repo.eclipse.org https://repo.eclipse.org/content/repositories/jgit-releases/ . A backport is available in 5.13.3 starting from 5.13.3.202401111512-r.

The JGit maintainers would like to thank RyotaK for finding and reporting this issue.

CVSS Scores

version 3.1