Improper Handling of Case Sensitivity Affecting org.eclipse.jgit:org.eclipse.jgit package, versions [,5.13.3.202401111512-r ) [6.0.0,6.6.1.202309021850-r)
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGECLIPSEJGIT-5905182
- published 19 Sep 2023
- disclosed 18 Sep 2023
- credit RyotaK
Introduced: 18 Sep 2023
CVE-2023-4759 Open this link in a new tabHow to fix?
Upgrade org.eclipse.jgit:org.eclipse.jgit
to version 5.13.3.202401111512-r, 6.6.1.202309021850-r or higher.
Overview
Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity via the DirCacheCheckout
, ResolveMerger
(via its WorkingTreeUpdater
), PullCommand
using merge, and when applying a patch (PatchApplier
). An attacker can write a file to locations outside the working tree on case-insensitive filesystems. This can lead to remote code execution if the written file is a git filter that gets executed on a subsequent git command.
Note: This is only exploitable if the user performing the clone or checkout has the rights to create symbolic links, and symbolic links are enabled in the git configuration.
Workaround:
The issue can be mitigated by disabling symbolic links in the git configuration.