CVE-2023-4759: 
Java vulnerability analysis and mitigation

A symbolic link vulnerability was discovered in Eclipse JGit versions <= 6.6.0.202305301015-r. The vulnerability (CVE-2023-4759) allows an attacker to write files to locations outside the working tree when cloning a specially crafted git repository with JGit on a case-insensitive filesystem, or when performing a checkout from such a repository. The issue was discovered by RyotaK and was fixed in Eclipse JGit versions 6.6.1.202309021850-r, 6.7.0.202309050840-r, and backported to 5.13.3.202401111512-r (Eclipse Advisory, NVD).

The vulnerability occurs due to improper handling of case sensitivity in filesystems. The issue manifests during checkout operations (DirCacheCheckout), merge operations (ResolveMerger via WorkingTreeUpdater), pull operations (PullCommand using merge), and when applying patches (PatchApplier). The vulnerability specifically affects case-insensitive filesystems, which are default on Windows and macOS. For exploitation, the user must have rights to create symbolic links, and symbolic links must be enabled in the git configuration (NVD).

The vulnerability can be exploited for remote code execution (RCE) if the file written outside the working tree is a git filter that gets executed on a subsequent git command. This presents a significant security risk as it allows attackers to execute arbitrary code through carefully crafted repositories (NVD).

As a temporary workaround, users can set the git configuration option core.symlinks = false before checking out to avoid the problem. For a permanent fix, users should upgrade to Eclipse JGit version 6.6.1.202309021850-r, 6.7.0.202309050840-r, or 5.13.3.202401111512-r (starting from 5.13.3.202401111512-r) (NVD).