VOOZH about

URL: https://nvd.nist.gov/vuln/detail/CVE-2023-4759

⇱ NVD - CVE-2023-4759


  1. Vulnerabilities

CVE-2023-4759 Detail

Modified After Enrichment

This CVE record has been updated after NVD enrichment efforts were completed. Enrichment data supplied by the NVD may require amendment due to these changes.

Description

Arbitrary File Overwrite in Eclipse JGit <= 6.6.0 In Eclipse JGit, all versions <= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive filesystem, or when a checkout from a clone of such a repository is performed on a case-insensitive filesystem. This can happen on checkout (DirCacheCheckout), merge (ResolveMerger via its WorkingTreeUpdater), pull (PullCommand using merge), and when applying a patch (PatchApplier). This can be exploited for remote code execution (RCE), for instance if the file written outside the working tree is a git filter that gets executed on a subsequent git command. The issue occurs only on case-insensitive filesystems, like the default filesystems on Windows and macOS. The user performing the clone or checkout must have the rights to create symbolic links for the problem to occur, and symbolic links must be enabled in the git configuration. Setting git configuration option core.symlinks = false before checking out avoids the problem. The issue was fixed in Eclipse JGit version 6.6.1.202309021850-r and 6.7.0.202309050840-r, available via Maven Central https://repo1.maven.org/maven2/org/eclipse/jgit/  and repo.eclipse.org https://repo.eclipse.org/content/repositories/jgit-releases/ . A backport is available in 5.13.3 starting from 5.13.3.202401111512-r. The JGit maintainers would like to thank RyotaK for finding and reporting this issue.


Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 4.0 Severity and Vector Strings:

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

URL Source(s) Tag(s)
https://git.eclipse.org/c/jgit/jgit.git/commit/?id=9072103f3b3cf64dd12ad2949836ab98f62dabf1 CVE, Eclipse Foundation Patch  Vendor Advisory 
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/11 CVE, Eclipse Foundation Issue Tracking  Vendor Advisory 
https://projects.eclipse.org/projects/technology.jgit/releases/6.6.1 CVE, Eclipse Foundation Release Notes  Vendor Advisory 

Weakness Enumeration

CWE-ID CWE Name Source
CWE-59 Improper Link Resolution Before File Access ('Link Following') 👁 cwe source acceptance level
NIST  
Eclipse Foundation  
CWE-178 Improper Handling of Case Sensitivity 👁 cwe source acceptance level
NIST  
Eclipse Foundation  

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

9 change records found show changes

CVE Modified by CISA-ADP 6/17/2026 2:38:32 AM

Action Type Old Value New Value
Added Affected
[{"vendor":"eclipse","product":"jgit","defaultStatus":"unaffected","cpes":["cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:*"],"versions":[{"version":"0","lessThanOrEqual":"6.6.0.202305301015-r","versionType":"semver","status":"affected"}]},{"vendor":"eclipse","product":"jgit","defaultStatus":"unaffected","cpes":["cpe:2.3:a:eclipse:jgit:5.13.3.202401111512-r:*:*:*:*:*:*:*"],"versions":[{"version":"5.13.3.202401111512-r","status":"unaffected"}]}]


Added SSVC
{"timestamp":"2024-07-19T03:55:38.083883Z","id":"CVE-2023-4759","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}


CVE Modified by Eclipse Foundation 6/17/2026 2:38:32 AM

Action Type Old Value New Value
Added Affected
[{"vendor":"Eclipse Foundation","product":"Eclipse JGit","defaultStatus":"unaffected","collectionURL":"https://git.eclipse.org/c/jgit/jgit.git/","versions":[{"version":"0.0.0","lessThanOrEqual":"6.6.0.202305301015-r","versionType":"semver","status":"affected"},{"version":" 5.13.3.202401111512-r","status":"unaffected"}]}]


CVE Modified by CVE 11/21/2024 3:35:55 AM

Action Type Old Value New Value
Added Reference
https://git.eclipse.org/c/jgit/jgit.git/commit/?id=9072103f3b3cf64dd12ad2949836ab98f62dabf1


Added Reference
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/11


Added Reference
https://projects.eclipse.org/projects/technology.jgit/releases/6.6.1


Reanalysis by NIST 8/07/2024 1:30:50 PM

Action Type Old Value New Value
Changed CPE Configuration
OR
 *cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:* versions up to (excluding) 5.13.3.202401111512-r
 *cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:* versions from (including) 6.6.0 up to (excluding) 6.6.0.202305301015
 *cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:* versions from (including) 6.7.0 up to (excluding) 6.7.0.202309050840


AND
 OR
 *cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:* versions up to (excluding) 5.13.3.202401111512-r
 *cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:* versions from (including) 6.6.0 up to (excluding) 6.6.0.202305301015
 *cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:* versions from (including) 6.7.0 up to (excluding) 6.7.0.202309050840
 OR
 cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
 cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*


CVE Modified by Eclipse Foundation 5/14/2024 10:12:59 AM

Action Type Old Value New Value

Modified Analysis by NIST 4/26/2024 12:09:44 PM

Action Type Old Value New Value
Changed CPE Configuration
OR
 *cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:* versions up to (excluding) 6.6.0.202305301015
 *cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:* versions from (including) 6.7.0 up to (excluding) 6.7.0.202309050840


OR
 *cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:* versions up to (excluding) 5.13.3.202401111512-r
 *cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:* versions from (including) 6.6.0 up to (excluding) 6.6.0.202305301015
 *cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:* versions from (including) 6.7.0 up to (excluding) 6.7.0.202309050840


CVE Modified by Eclipse Foundation 1/12/2024 11:15:52 AM

Action Type Old Value New Value
Changed Description
Arbitrary File Overwrite in Eclipse JGit <= 6.6.0

In Eclipse JGit, all versions <= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive filesystem, or when a checkout from a clone of such a repository is performed on a case-insensitive filesystem.

This can happen on checkout (DirCacheCheckout), merge (ResolveMerger via its WorkingTreeUpdater), pull (PullCommand using merge), and when applying a patch (PatchApplier). This can be exploited for remote code execution (RCE), for instance if the file written outside the working tree is a git filter that gets executed on a subsequent git command.

The issue occurs only on case-insensitive filesystems, like the default filesystems on Windows and macOS. The user performing the clone or checkout must have the rights to create symbolic links for the problem to occur, and symbolic links must be enabled in the git configuration.

Setting git configuration option core.symlinks = false before checking out avoids the problem.

The issue was fixed in Eclipse JGit version 6.6.1.202309021850-r and 6.7.0.202309050840-r, available via Maven Central https://repo1.maven.org/maven2/org/eclipse/jgit/  and repo.eclipse.org https://repo.eclipse.org/content/repositories/jgit-releases/ .


The JGit maintainers would like to thank RyotaK for finding and reporting this issue.





Arbitrary File Overwrite in Eclipse JGit <= 6.6.0

In Eclipse JGit, all versions <= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive filesystem, or when a checkout from a clone of such a repository is performed on a case-insensitive filesystem.

This can happen on checkout (DirCacheCheckout), merge (ResolveMerger via its WorkingTreeUpdater), pull (PullCommand using merge), and when applying a patch (PatchApplier). This can be exploited for remote code execution (RCE), for instance if the file written outside the working tree is a git filter that gets executed on a subsequent git command.

The issue occurs only on case-insensitive filesystems, like the default filesystems on Windows and macOS. The user performing the clone or checkout must have the rights to create symbolic links for the problem to occur, and symbolic links must be enabled in the git configuration.

Setting git configuration option core.symlinks = false before checking out avoids the problem.

The issue was fixed in Eclipse JGit version 6.6.1.202309021850-r and 6.7.0.202309050840-r, available via Maven Central https://repo1.maven.org/maven2/org/eclipse/jgit/  and repo.eclipse.org https://repo.eclipse.org/content/repositories/jgit-releases/ . A backport is available in 5.13.3 starting from 5.13.3.202401111512-r.


The JGit maintainers would like to thank RyotaK for finding and reporting this issue.





Reanalysis by NIST 11/15/2023 2:35:44 PM

Action Type Old Value New Value
Changed CPE Configuration
OR
 *cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:* versions from (including) 6.6.0 up to (excluding) 6.6.1.202309021850
 *cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:* versions from (including) 6.7.0 up to (excluding) 6.7.0.202309050840


OR
 *cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:* versions up to (excluding) 6.6.0.202305301015
 *cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:* versions from (including) 6.7.0 up to (excluding) 6.7.0.202309050840


Initial Analysis by NIST 9/18/2023 9:54:11 AM

Action Type Old Value New Value
Added CVSS V3.1
NIST AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H


Added CWE
NIST CWE-59


Added CWE
NIST CWE-178


Added CPE Configuration
OR
 *cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:* versions from (including) 6.6.0 up to (excluding) 6.6.1.202309021850
 *cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:* versions from (including) 6.7.0 up to (excluding) 6.7.0.202309050840


Changed Reference Type
https://git.eclipse.org/c/jgit/jgit.git/commit/?id=9072103f3b3cf64dd12ad2949836ab98f62dabf1 No Types Assigned


https://git.eclipse.org/c/jgit/jgit.git/commit/?id=9072103f3b3cf64dd12ad2949836ab98f62dabf1 Patch, Vendor Advisory


Changed Reference Type
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/11 No Types Assigned


https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/11 Issue Tracking, Vendor Advisory


Changed Reference Type
https://projects.eclipse.org/projects/technology.jgit/releases/6.6.1 No Types Assigned


https://projects.eclipse.org/projects/technology.jgit/releases/6.6.1 Release Notes, Vendor Advisory


Quick Info

CVE Dictionary Entry:
CVE-2023-4759
NVD Published Date:
09/12/2023
NVD Last Modified:
06/17/2026
Source:
Eclipse Foundation