CVE-2023-4759

Name of the Vulnerable Software and Affected Versions Eclipse JGit versions prior to 6.6.1.202309021850-r Eclipse JGit versions prior to 6.7.0.202309050840-r Eclipse JGit versions 5.13.3 prior to 5.13.3.202401111512-r

Description The issue is related to the handling of symbolic links in Eclipse JGit on case-insensitive filesystems, allowing an attacker to write files outside the working tree. This can occur during checkout, merge, pull, or when applying a patch, and can be exploited for remote code execution if the written file is a git filter. The problem is specific to case-insensitive filesystems like those on Windows and macOS, and the user must have the rights to create symbolic links and have them enabled in the git configuration. Setting the git configuration option core.symlinks to false before checking out avoids the problem.

Recommendations For Eclipse JGit versions prior to 6.6.1.202309021850-r, update to version 6.6.1.202309021850-r or later. For Eclipse JGit versions prior to 6.7.0.202309050840-r, update to version 6.7.0.202309050840-r or later. For Eclipse JGit versions 5.13.3 prior to 5.13.3.202401111512-r, update to version 5.13.3.202401111512-r or later. As a temporary workaround, consider setting the git configuration option core.symlinks to false before checking out to avoid the problem.