csaf_certbund - wid-sec-w-2024-0311

wid-sec-w-2024-0311

Vulnerability from csaf_certbund

Published

2024-02-06 23:00

Modified

2024-06-06 22:00

Summary

Red Hat JBoss A-MQ: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

JBoss A-MQ ist eine Messaging-Plattform. Red Hat Enterprise Linux (RHEL) ist eine populäre Linux-Distribution.

Angriff

Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Red Hat JBoss A-MQ und Red Hat Enterprise Linux ausnutzen, um Informationen offenzulegen oder beliebigen Programmcode auszuführen.

Betroffene Betriebssysteme

- Linux

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         text: "hoch",
      },
      category: "csaf_base",
      csaf_version: "2.0",
      distribution: {
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "de-DE",
      notes: [
         {
            category: "legal_disclaimer",
            text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.",
         },
         {
            category: "description",
            text: "JBoss A-MQ ist eine Messaging-Plattform.\r\nRed Hat Enterprise Linux (RHEL) ist eine populäre Linux-Distribution.",
            title: "Produktbeschreibung",
         },
         {
            category: "summary",
            text: "Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Red Hat JBoss A-MQ und Red Hat Enterprise Linux ausnutzen, um Informationen offenzulegen oder beliebigen Programmcode auszuführen.",
            title: "Angriff",
         },
         {
            category: "general",
            text: "- Linux",
            title: "Betroffene Betriebssysteme",
         },
      ],
      publisher: {
         category: "other",
         contact_details: "csaf-provider@cert-bund.de",
         name: "Bundesamt für Sicherheit in der Informationstechnik",
         namespace: "https://www.bsi.bund.de",
      },
      references: [
         {
            category: "self",
            summary: "WID-SEC-W-2024-0311 - CSAF Version",
            url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0311.json",
         },
         {
            category: "self",
            summary: "WID-SEC-2024-0311 - Portal Version",
            url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0311",
         },
         {
            category: "external",
            summary: "Red Hat Security Advisory RHSA-2024:0804 vom 2024-02-13",
            url: "https://access.redhat.com/errata/RHSA-2024:0804",
         },
         {
            category: "external",
            summary: "Red Hat Security Advisory RHSA-2024:0799 vom 2024-02-14",
            url: "https://access.redhat.com/errata/RHSA-2024:0799",
         },
         {
            category: "external",
            summary: "Red Hat Security Advisory RHSA-2024:1192 vom 2024-03-06",
            url: "https://access.redhat.com/errata/RHSA-2024:1192",
         },
         {
            category: "external",
            summary: "Red Hat Security Advisory RHSA-2024:1194 vom 2024-03-06",
            url: "https://access.redhat.com/errata/RHSA-2024:1194",
         },
         {
            category: "external",
            summary: "Red Hat Security Advisory RHSA-2024:1193 vom 2024-03-06",
            url: "https://access.redhat.com/errata/RHSA-2024:1193",
         },
         {
            category: "external",
            summary: "RedHat Security Advisory vom 2024-02-06",
            url: "https://access.redhat.com/errata/RHSA-2024:0710",
         },
         {
            category: "external",
            summary: "RedHat Security Advisory vom 2024-02-06",
            url: "https://access.redhat.com/errata/RHSA-2024:0711",
         },
         {
            category: "external",
            summary: "RedHat Security Advisory vom 2024-02-06",
            url: "https://access.redhat.com/errata/RHSA-2024:0712",
         },
         {
            category: "external",
            summary: "RedHat Security Advisory vom 2024-02-06",
            url: "https://access.redhat.com/errata/RHSA-2024:0714",
         },
         {
            category: "external",
            summary: "Red Hat Security Advisory RHSA-2024:3708 vom 2024-06-06",
            url: "https://access.redhat.com/errata/RHSA-2024:3708",
         },
      ],
      source_lang: "en-US",
      title: "Red Hat JBoss A-MQ: Mehrere Schwachstellen",
      tracking: {
         current_release_date: "2024-06-06T22:00:00.000+00:00",
         generator: {
            date: "2024-08-15T18:04:55.912+00:00",
            engine: {
               name: "BSI-WID",
               version: "1.3.5",
            },
         },
         id: "WID-SEC-W-2024-0311",
         initial_release_date: "2024-02-06T23:00:00.000+00:00",
         revision_history: [
            {
               date: "2024-02-06T23:00:00.000+00:00",
               number: "1",
               summary: "Initiale Fassung",
            },
            {
               date: "2024-02-13T23:00:00.000+00:00",
               number: "2",
               summary: "Neue Updates von Red Hat aufgenommen",
            },
            {
               date: "2024-03-06T23:00:00.000+00:00",
               number: "3",
               summary: "Neue Updates von Red Hat aufgenommen",
            },
            {
               date: "2024-06-06T22:00:00.000+00:00",
               number: "4",
               summary: "Neue Updates von Red Hat aufgenommen",
            },
         ],
         status: "final",
         version: "4",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "Red Hat Enterprise Linux",
                        product: {
                           name: "Red Hat Enterprise Linux",
                           product_id: "67646",
                           product_identification_helper: {
                              cpe: "cpe:/o:redhat:enterprise_linux:-",
                           },
                        },
                     },
                     {
                        category: "product_version",
                        name: "7",
                        product: {
                           name: "Red Hat Enterprise Linux 7",
                           product_id: "T006054",
                           product_identification_helper: {
                              cpe: "cpe:/o:redhat:enterprise_linux:7",
                           },
                        },
                     },
                     {
                        category: "product_version",
                        name: "9",
                        product: {
                           name: "Red Hat Enterprise Linux 9",
                           product_id: "T030908",
                           product_identification_helper: {
                              cpe: "cpe:/o:redhat:enterprise_linux:9",
                           },
                        },
                     },
                     {
                        category: "product_version",
                        name: "8",
                        product: {
                           name: "Red Hat Enterprise Linux 8",
                           product_id: "T031155",
                           product_identification_helper: {
                              cpe: "cpe:/o:redhat:enterprise_linux:8",
                           },
                        },
                     },
                  ],
                  category: "product_name",
                  name: "Enterprise Linux",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "Camel for Spring Boot 1",
                        product: {
                           name: "Red Hat Integration Camel for Spring Boot 1",
                           product_id: "T035240",
                           product_identification_helper: {
                              cpe: "cpe:/a:redhat:integration:camel_for_spring_boot_1",
                           },
                        },
                     },
                  ],
                  category: "product_name",
                  name: "Integration",
               },
               {
                  branches: [
                     {
                        category: "product_version_range",
                        name: "<7.4.15",
                        product: {
                           name: "Red Hat JBoss A-MQ <7.4.15",
                           product_id: "T032534",
                        },
                     },
                  ],
                  category: "product_name",
                  name: "JBoss A-MQ",
               },
               {
                  branches: [
                     {
                        category: "product_version_range",
                        name: "<8.0.1",
                        product: {
                           name: "Red Hat JBoss Enterprise Application Platform <8.0.1",
                           product_id: "T033272",
                        },
                     },
                  ],
                  category: "product_name",
                  name: "JBoss Enterprise Application Platform",
               },
            ],
            category: "vendor",
            name: "Red Hat",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2023-44483",
         notes: [
            {
               category: "description",
               text: "Es existiert eine Schwachstelle in Red Hat JBoss A-MQ und Red Hat Enterprise Linux. Diese besteht in der Komponente \"Apache Santuario - XML Security\" und ist auf einen Fehler in der \"JSR 105\" API zurückzuführen, welcher einen privaten Schlüssel möglicherweise in die Logdateien schreibt. Ein entfernter, authentisierter Angreifer kann diese Schwachstelle ausnutzen, um Informationen offenzulegen.",
            },
         ],
         product_status: {
            known_affected: [
               "T030908",
               "67646",
               "T033272",
               "T035240",
               "T006054",
               "T031155",
            ],
         },
         release_date: "2024-02-06T23:00:00.000+00:00",
         title: "CVE-2023-44483",
      },
      {
         cve: "CVE-2023-4759",
         notes: [
            {
               category: "description",
               text: "Es existiert eine Schwachstelle in Red Hat JBoss A-MQ. Diese besteht in der Komponente \"Eclipse JGit\" und ist darauf zurückzuführen, dass mithilfe eines Symbolic Links außerhalb des Arbeitsverzeichnisses geschrieben werden kann. Ein entfernter, authentisierter Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuführen.",
            },
         ],
         product_status: {
            known_affected: [
               "67646",
               "T033272",
               "T035240",
            ],
         },
         release_date: "2024-02-06T23:00:00.000+00:00",
         title: "CVE-2023-4759",
      },
   ],
}

cve-2023-44483

Vulnerability from cvelistv5

Published

2023-10-20 09:23

Modified

2025-02-13 17:13

Severity ?

Summary

All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.

References

▼	URL	Tags
	https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55	vendor-advisory
	http://www.openwall.com/lists/oss-security/2023/10/20/5

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Santuario	Version: 2.2 ≤ Version: 2.3 ≤ Version: 3.0 ≤

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-02T20:07:33.435Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "http://www.openwall.com/lists/oss-security/2023/10/20/5",
               },
            ],
            title: "CVE Program Container",
         },
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2023-44483",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-09-12T14:33:15.116438Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-09-12T14:36:02.225Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               product: "Apache Santuario",
               vendor: "Apache Software Foundation",
               versions: [
                  {
                     lessThan: "2.2.6",
                     status: "affected",
                     version: "2.2",
                     versionType: "semver",
                  },
                  {
                     lessThan: "2.3.4",
                     status: "affected",
                     version: "2.3",
                     versionType: "semver",
                  },
                  {
                     lessThan: "3.0.3",
                     status: "affected",
                     version: "3.0",
                     versionType: "semver",
                  },
               ],
            },
         ],
         credits: [
            {
               lang: "en",
               type: "finder",
               value: "Apache Santuario would like to thank Max Fichtelmann for reporting this issue.",
            },
         ],
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled.&nbsp;Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.<br>",
                  },
               ],
               value: "All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.",
            },
         ],
         metrics: [
            {
               other: {
                  content: {
                     text: "moderate",
                  },
                  type: "Textual description of severity",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-532",
                     description: "CWE-532 Insertion of Sensitive Information into Log File",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2023-10-20T09:25:12.008Z",
            orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            shortName: "apache",
         },
         references: [
            {
               tags: [
                  "vendor-advisory",
               ],
               url: "https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55",
            },
            {
               url: "http://www.openwall.com/lists/oss-security/2023/10/20/5",
            },
         ],
         source: {
            discovery: "EXTERNAL",
         },
         title: "Apache Santuario: Private Key disclosure in debug-log output",
         x_generator: {
            engine: "Vulnogram 0.1.0-dev",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09",
      assignerShortName: "apache",
      cveId: "CVE-2023-44483",
      datePublished: "2023-10-20T09:23:53.483Z",
      dateReserved: "2023-09-29T15:05:04.230Z",
      dateUpdated: "2025-02-13T17:13:41.449Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2023-4759

Vulnerability from cvelistv5

Published

2023-09-12 09:12

Modified

2024-08-02 07:37

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

Arbitrary File Overwrite in Eclipse JGit <= 6.6.0 In Eclipse JGit, all versions <= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive filesystem, or when a checkout from a clone of such a repository is performed on a case-insensitive filesystem. This can happen on checkout (DirCacheCheckout), merge (ResolveMerger via its WorkingTreeUpdater), pull (PullCommand using merge), and when applying a patch (PatchApplier). This can be exploited for remote code execution (RCE), for instance if the file written outside the working tree is a git filter that gets executed on a subsequent git command. The issue occurs only on case-insensitive filesystems, like the default filesystems on Windows and macOS. The user performing the clone or checkout must have the rights to create symbolic links for the problem to occur, and symbolic links must be enabled in the git configuration. Setting git configuration option core.symlinks = false before checking out avoids the problem. The issue was fixed in Eclipse JGit version 6.6.1.202309021850-r and 6.7.0.202309050840-r, available via Maven Central https://repo1.maven.org/maven2/org/eclipse/jgit/ and repo.eclipse.org https://repo.eclipse.org/content/repositories/jgit-releases/ . A backport is available in 5.13.3 starting from 5.13.3.202401111512-r. The JGit maintainers would like to thank RyotaK for finding and reporting this issue.

References

▼	URL	Tags
	https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/11
	https://projects.eclipse.org/projects/technology.jgit/releases/6.6.1
	https://git.eclipse.org/c/jgit/jgit.git/commit/?id=9072103f3b3cf64dd12ad2949836ab98f62dabf1

Impacted products

	Vendor	Product	Version
	Eclipse Foundation	Eclipse JGit	Version: 0.0.0 ≤ 6.6.0.202305301015-r

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            affected: [
               {
                  cpes: [
                     "cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:*",
                  ],
                  defaultStatus: "unaffected",
                  product: "jgit",
                  vendor: "eclipse",
                  versions: [
                     {
                        lessThanOrEqual: "6.6.0.202305301015-r",
                        status: "affected",
                        version: "0",
                        versionType: "semver",
                     },
                  ],
               },
               {
                  cpes: [
                     "cpe:2.3:a:eclipse:jgit:5.13.3.202401111512-r:*:*:*:*:*:*:*",
                  ],
                  defaultStatus: "unaffected",
                  product: "jgit",
                  vendor: "eclipse",
                  versions: [
                     {
                        status: "unaffected",
                        version: "5.13.3.202401111512-r",
                     },
                  ],
               },
            ],
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2023-4759",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "total",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-07-19T03:55:38.083883Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-07-19T13:51:38.023Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
         {
            providerMetadata: {
               dateUpdated: "2024-08-02T07:37:59.574Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/11",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://projects.eclipse.org/projects/technology.jgit/releases/6.6.1",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://git.eclipse.org/c/jgit/jgit.git/commit/?id=9072103f3b3cf64dd12ad2949836ab98f62dabf1",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               collectionURL: "https://git.eclipse.org/c/jgit/jgit.git/",
               defaultStatus: "unaffected",
               product: "Eclipse JGit",
               vendor: "Eclipse Foundation",
               versions: [
                  {
                     lessThanOrEqual: "6.6.0.202305301015-r",
                     status: "affected",
                     version: "0.0.0",
                     versionType: "semver",
                  },
                  {
                     status: "unaffected",
                     version: "  5.13.3.202401111512-r",
                  },
               ],
            },
         ],
         credits: [
            {
               lang: "en",
               type: "finder",
               user: "00000000-0000-4000-9000-000000000000",
               value: "RyotaK",
            },
         ],
         datePublic: "2023-09-12T10:00:00.000Z",
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "<p>Arbitrary File Overwrite in Eclipse JGit &lt;= 6.6.0</p><p>In Eclipse JGit, all versions &lt;= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive filesystem, or when a checkout from a clone of such a repository is performed on a case-insensitive filesystem.</p><p>This can happen on checkout (<code>DirCacheCheckout</code>), merge (<code>ResolveMerger</code>&nbsp;via its <code>WorkingTreeUpdater</code>), pull (<code>PullCommand</code>&nbsp;using merge), and when applying a patch (<code>PatchApplier</code>). This can be exploited for remote code execution (RCE), for instance if the file written outside the working tree is a git filter that gets executed on a subsequent git command.</p><p>The issue occurs only on case-<strong>in</strong>sensitive filesystems, like the default filesystems on Windows and macOS. The user performing the clone or checkout must have the rights to create symbolic links for the problem to occur, and symbolic links must be enabled in the git configuration.</p><p>Setting git configuration option <code>core.symlinks = false</code>&nbsp;before checking out avoids the problem.</p><p>The issue was fixed in Eclipse JGit version 6.6.1.202309021850-r and 6.7.0.202309050840-r, available via <a target=\"_blank\" rel=\"nofollow\" href=\"https://repo1.maven.org/maven2/org/eclipse/jgit/\">Maven Central</a>&nbsp;and <a target=\"_blank\" rel=\"nofollow\" href=\"https://repo.eclipse.org/content/repositories/jgit-releases/\">repo.eclipse.org</a>. A backport is available in 5.13.3 starting from  5.13.3.202401111512-r.<br></p><p>The JGit maintainers would like to thank RyotaK for finding and reporting this issue.<br></p><br>",
                  },
               ],
               value: "Arbitrary File Overwrite in Eclipse JGit <= 6.6.0\n\nIn Eclipse JGit, all versions <= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive filesystem, or when a checkout from a clone of such a repository is performed on a case-insensitive filesystem.\n\nThis can happen on checkout (DirCacheCheckout), merge (ResolveMerger via its WorkingTreeUpdater), pull (PullCommand using merge), and when applying a patch (PatchApplier). This can be exploited for remote code execution (RCE), for instance if the file written outside the working tree is a git filter that gets executed on a subsequent git command.\n\nThe issue occurs only on case-insensitive filesystems, like the default filesystems on Windows and macOS. The user performing the clone or checkout must have the rights to create symbolic links for the problem to occur, and symbolic links must be enabled in the git configuration.\n\nSetting git configuration option core.symlinks = false before checking out avoids the problem.\n\nThe issue was fixed in Eclipse JGit version 6.6.1.202309021850-r and 6.7.0.202309050840-r, available via  Maven Central https://repo1.maven.org/maven2/org/eclipse/jgit/  and  repo.eclipse.org https://repo.eclipse.org/content/repositories/jgit-releases/ . A backport is available in 5.13.3 starting from  5.13.3.202401111512-r.\n\n\nThe JGit maintainers would like to thank RyotaK for finding and reporting this issue.\n\n\n\n",
            },
         ],
         impacts: [
            {
               capecId: "CAPEC-132",
               descriptions: [
                  {
                     lang: "en",
                     value: "CAPEC-132 Symlink Attack",
                  },
               ],
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 8.8,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  version: "3.1",
               },
               format: "CVSS",
               scenarios: [
                  {
                     lang: "en",
                     value: "GENERAL",
                  },
               ],
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-59",
                     description: "CWE-59 Improper Link Resolution Before File Access ('Link Following')",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
            {
               descriptions: [
                  {
                     cweId: "CWE-178",
                     description: "CWE-178 Improper Handling of Case Sensitivity",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-01-12T15:21:24.101Z",
            orgId: "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
            shortName: "eclipse",
         },
         references: [
            {
               url: "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/11",
            },
            {
               url: "https://projects.eclipse.org/projects/technology.jgit/releases/6.6.1",
            },
            {
               url: "https://git.eclipse.org/c/jgit/jgit.git/commit/?id=9072103f3b3cf64dd12ad2949836ab98f62dabf1",
            },
         ],
         source: {
            discovery: "EXTERNAL",
         },
         title: "Improper handling of case insensitive filesystems in Eclipse JGit allows arbitrary file write",
         workarounds: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "<p>Setting git configuration option <code>core.symlinks = false</code>&nbsp;before checking out avoids the problem.</p>",
                  },
               ],
               value: "Setting git configuration option core.symlinks = false before checking out avoids the problem.\n\n",
            },
         ],
         x_generator: {
            engine: "Vulnogram 0.1.0-dev",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
      assignerShortName: "eclipse",
      cveId: "CVE-2023-4759",
      datePublished: "2023-09-12T09:12:10.254Z",
      dateReserved: "2023-09-04T16:06:00.689Z",
      dateUpdated: "2024-08-02T07:37:59.574Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

wid-sec-w-2024-0311

Vulnerability from csaf_certbund

cve-2023-44483

Vulnerability from cvelistv5

cve-2023-4759

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature