CVE-2023-4759 in JGit
Summary
by MITRE • 09/12/2023
Arbitrary File Overwrite in Eclipse JGit <= 6.6.0
In Eclipse JGit, all versions <= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive filesystem, or when a checkout from a clone of such a repository is performed on a case-insensitive filesystem.
This can happen on checkout (DirCacheCheckout), merge (ResolveMerger via its WorkingTreeUpdater), pull (PullCommand using merge), and when applying a patch (PatchApplier). This can be exploited for remote code execution (RCE), for instance if the file written outside the working tree is a git filter that gets executed on a subsequent git command.
The issue occurs only on case-insensitive filesystems, like the default filesystems on Windows and macOS. The user performing the clone or checkout must have the rights to create symbolic links for the problem to occur, and symbolic links must be enabled in the git configuration.
Setting git configuration option core.symlinks = false before checking out avoids the problem.
The issue was fixed in Eclipse JGit version 6.6.1.202309021850-r and 6.7.0.202309050840-r, available via Maven Central https://repo1.maven.org/maven2/org/eclipse/jgit/ and repo.eclipse.org https://repo.eclipse.org/content/repositories/jgit-releases/ .
The JGit maintainers would like to thank RyotaK for finding and reporting this issue.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/22/2025
The vulnerability described in CVE-2023-4759 represents a critical arbitrary file overwrite flaw within Eclipse JGit versions up to 6.6.0, with implications for software supply chain security and remote code execution capabilities. This vulnerability stems from improper handling of symbolic links during repository operations on case-insensitive filesystems, creating a path traversal scenario that allows attackers to write files outside the intended working directory. The flaw specifically manifests when JGit processes repositories containing malicious symbolic links on filesystems where file paths are treated without case sensitivity, such as the default filesystems on Windows and macOS operating systems.
The technical exploitation of this vulnerability occurs through multiple JGit operations including DirCacheCheckout, ResolveMerger via WorkingTreeUpdater, PullCommand using merge functionality, and PatchApplier. These operations create opportunities for attackers to manipulate the filesystem by crafting specially designed git repositories that contain symbolic links pointing to arbitrary locations outside the working tree. When such repositories are cloned or checked out on case-insensitive filesystems, the symbolic link resolution process can result in unintended file creation or modification at locations outside the repository's intended boundaries. This behavior directly maps to CWE-22 Path Traversal vulnerabilities, where insufficient input validation allows attackers to manipulate file paths and access restricted directories.
The operational impact of this vulnerability extends beyond simple file overwrite capabilities to potentially enable full remote code execution when combined with git filter mechanisms. Attackers can strategically place malicious files in locations where subsequent git operations will execute them, creating persistent backdoors or privilege escalation vectors. The vulnerability requires specific conditions to be exploitable including the presence of symbolic link capabilities in the git configuration, user permissions to create symbolic links, and operation on case-insensitive filesystems. This constraint reduces the attack surface but does not eliminate the risk, particularly in environments where developers frequently clone repositories or perform git operations on systems with default case-insensitive filesystems. The vulnerability aligns with ATT&CK technique T1059.006 Command and Scripting Interpreter: PowerShell, where attackers can leverage git filter execution points to establish persistent access.
The mitigation strategy involves updating to JGit versions 6.6.1.202309021850-r or 6.7.0.202309050840-r, which contain the necessary patches to properly validate symbolic link operations and prevent path traversal during repository operations. Alternative mitigations include setting the git configuration option core.symlinks = false before performing checkout operations, which disables symbolic link processing entirely and prevents the vulnerability from being exploited. Organizations should also implement security controls around repository cloning and checkout operations, particularly when dealing with untrusted repositories, and consider implementing automated scanning for potentially malicious symbolic links in repository contents. The fix addresses the root cause by implementing proper path validation and ensuring that symbolic link resolution respects the intended repository boundaries, preventing the escalation from symbolic link processing to arbitrary file system manipulation.