Fabre

#1106287 jgit: CVE-2025-4949 #1106287

Package:: src:jgit

Source:: src:jgit

Submitter:: Moritz Mühlenhoff

Date:: 2025-05-22 18:05:03 UTC

Severity:: normal

Tags:

#1106287#5

Date:: 2025-05-22 15:36:45 UTC

From:

To:

Hi,

The following vulnerability was published for jgit.

CVE-2025-4949[0]:
| In Eclipse JGit versions 7.2.0.202503040940-r and older, the
| ManifestParser class used by the repo command and the AmazonS3 class
| used to implement the experimental amazons3 git transport protocol
| allowing to store git pack files in an Amazon S3 bucket, are
| vulnerable to XML External Entity (XXE) attacks when parsing XML
| files. This vulnerability can lead to information disclosure, denial
| of service, and other security issues.

https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/281
https://gitlab.eclipse.org/security/cve-assignement/-/issues/64


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-4949
https://www.cve.org/CVERecord?id=CVE-2025-4949

Please adjust the affected versions in the BTS as needed.

#1106287 jgit: CVE-2025-4949 #1106287

Just Reply to ...

Reply to submitter ...

Send control command (Silently)

Set Architecture Tags (Silently)