<p>Upgrade <code>org.eclipse.jgit:org.eclipse.jgit</code> to version 5.13.3.202401111512-r, 6.6.1.202309021850-r or higher.</p>

Improper Handling of Case Sensitivity Affecting org.eclipse.jgit:org.eclipse.jgit package, versions [,5.13.3.202401111512-r ) [6.0.0,6.6.1.202309021850-r)

Snyk CVSS

Attack Complexity Low

Confidentiality High

Integrity High

Availability High

Threat Intelligence

Exploit Maturity Proof of concept

EPSS 0.13% (48^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JAVA-ORGECLIPSEJGIT-5905182
published 19 Sep 2023
disclosed 18 Sep 2023
credit RyotaK

Report a new vulnerability Found a mistake?

Introduced: 18 Sep 2023

CVE-2023-4759 Open this link in a new tab CWE-178 Open this link in a new tab

How to fix?

Upgrade org.eclipse.jgit:org.eclipse.jgit to version 5.13.3.202401111512-r, 6.6.1.202309021850-r or higher.

Overview

Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity via the DirCacheCheckout, ResolveMerger (via its WorkingTreeUpdater), PullCommand using merge, and when applying a patch (PatchApplier). An attacker can write a file to locations outside the working tree on case-insensitive filesystems. This can lead to remote code execution if the written file is a git filter that gets executed on a subsequent git command.

Note: This is only exploitable if the user performing the clone or checkout has the rights to create symbolic links, and symbolic links are enabled in the git configuration.

Workaround:

The issue can be mitigated by disabling symbolic links in the git configuration.