GHSA-6vvc-c2m3-cjf3

Suggest an improvement
Source
https://github.com/advisories/GHSA-6vvc-c2m3-cjf3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-6vvc-c2m3-cjf3/GHSA-6vvc-c2m3-cjf3.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-6vvc-c2m3-cjf3
Aliases
Published
2022-05-17T19:57:29Z
Modified
2024-02-16T08:19:13.992280Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
JGit Improper Input Validation vulnerability
Details

Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine; libgit2; Egit; and JGit allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.

References

Affected packages

Maven / org.eclipse.jgit:org.eclipse.jgit

Package

Name
org.eclipse.jgit:org.eclipse.jgit
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.jgit/org.eclipse.jgit

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.5.3

Affected versions

1.*

1.2.0.201112221803-r
1.3.0.201202151440-r

2.*

2.0.0.201206130900-r
2.1.0.201209190230-r
2.2.0.201212191850-r
2.3.1.201302201838-r

3.*

3.0.0.201306101825-r
3.1.0.201310021548-r
3.2.0.201312181205-r
3.3.0.201403021825-r
3.3.1.201403241930-r
3.3.2.201404171909-r
3.4.0.201405051725-m7
3.4.0.201405211411-rc1
3.4.0.201405281120-rc2
3.4.0.201406041058-rc3
3.4.0.201406110918-r
3.4.1.201406201815-r
3.4.2.201412180340-r
3.5.0.201409071800-rc1
3.5.0.201409260305-r
3.5.1.201410131835-r
3.5.2.201411120430-r