CVE-2023-4759

Arbitrary File Overwrite in Eclipse JGit <= 6.6.0 In Eclipse JGit, all
versions <= 6.6.0.202305301015-r, a symbolic link present in a specially
crafted git repository can be used to write a file to locations outside the
working tree when this repository is cloned with JGit to a case-insensitive
filesystem, or when a checkout from a clone of such a repository is
performed on a case-insensitive filesystem. This can happen on checkout
(DirCacheCheckout), merge (ResolveMerger via its WorkingTreeUpdater), pull
(PullCommand using merge), and when applying a patch (PatchApplier). This
can be exploited for remote code execution (RCE), for instance if the file
written outside the working tree is a git filter that gets executed on a
subsequent git command. The issue occurs only on case-insensitive
filesystems, like the default filesystems on Windows and macOS. The user
performing the clone or checkout must have the rights to create symbolic
links for the problem to occur, and symbolic links must be enabled in the
git configuration. Setting git configuration option core.symlinks = false
before checking out avoids the problem. The issue was fixed in Eclipse JGit
version 6.6.1.202309021850-r and 6.7.0.202309050840-r, available via Maven
Central https://repo1.maven.org/maven2/org/eclipse/jgit/ and
repo.eclipse.org
https://repo.eclipse.org/content/repositories/jgit-releases/ . A backport
is available in 5.13.3 starting from 5.13.3.202401111512-r. The JGit
maintainers would like to thank RyotaK for finding and reporting this
issue.

Notes