Eclipse JGit XXE Vulnerability: External Entity Injection in ManifestParser and MavenScm

Key Information Summary Vulnerability Overview Vulnerability Type: XXE (XML External Entity) vulnerability Affected Components: and classes in Eclipse JGit Specific Method: method Risk: Attackers can exploit this vulnerability via maliciously crafted XML files, leading to information disclosure, denial of service, or remote code execution. Vulnerability Detail 1 Description: uses to parse XML files without properly configuring it to disable external entity processing. Attack Method: Attackers can construct malicious XML files to exploit external entity references and read local file contents. Example Code: Provides test cases and attack scripts demonstrating how to trigger the vulnerability via HTTP requests. Vulnerability Detail 2 Description: The class also suffers from a similar issue, allowing attackers to control the response returned by . Impact Scope: If is used to interact with GitHub security advisors, attackers may leverage this vulnerability for further attacks. Remediation Recommendations Fix: Set the and properties to in the and classes to disable external entity resolution. Limitations Current Limitation: Cannot extract files from file systems containing symbolic links, as Java deserialization throws an exception in the URL class. Credit Reporter: Sitrinjus-Linas Related Links: Provides multiple GitHub links detailing the vulnerability discovery and remediation process.

Goal Reached Thanks to every supporter — we hit 100%!

Eclipse JGit XXE Vulnerability: External Entity Injection in ManifestParser and MavenScm