Описание
In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.
A flaw was found in Eclipse JGit. This vulnerability can allow information disclosure, denial of service, and other security issues when parsing XML files.
Отчет
This vulnerability is rated Moderate for Red Hat products. A flaw in Eclipse JGit allows for XML External Entity (XXE) attacks when parsing specially crafted XML files. This can lead to local denial of service in affected Red Hat products that utilize JGit's ManifestParser or AmazonS3 class for git transport. The current 9.8 rating by NVD assumes a default, server-side exploitation path. However, the vulnerability resides in the experimental AmazonS3 transport class within Eclipse JGit, which is not enabled by default and requires non-standard configuration (Attack Complexity: High). Furthermore, exploitation typically occurs via client-side tools (e.g., repo) requiring active user participation (User Interaction: Required), limiting the primary risk to local Denial of Service rather than remote, unauthenticated compromise (Availability: High).
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| A-MQ Clients 2 | org.eclipse.jgit | Affected | ||
| Cryostat 3 | org.eclipse.jgit | Affected | ||
| Cryostat 4 | org.eclipse.jgit | Not affected | ||
| Logging Subsystem for Red Hat OpenShift | org.eclipse.jgit | Affected | ||
| Red Hat AMQ Broker 7 | org.eclipse.jgit | Not affected | ||
| Red Hat build of Apicurio Registry 2 | org.eclipse.jgit | Affected | ||
| Red Hat build of Apicurio Registry 3 | org.eclipse.jgit | Affected | ||
| Red Hat build of OptaPlanner 8 | org.eclipse.jgit | Not affected | ||
| Red Hat Data Grid 8 | org.eclipse.jgit | Not affected | ||
| Red Hat Fuse 7 | org.eclipse.jgit | Will not fix |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
4.8 Medium
CVSS3
Связанные уязвимости
In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.
In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.
In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestP ...
EPSS
4.8 Medium
CVSS3