Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
CVE-2025-4949
Good to know:
Date: May 21, 2025
In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.
Severity Score
Related Resources (9)
Severity Score
Weakness Type (CWE)
Top Fix
Upgrade Version
Upgrade to version org.eclipse.jgit:org.eclipse.jgit:7.2.1.202505142326-r;org.eclipse.jgit:org.eclipse.jgit:7.0.1.202505221510-r;org.eclipse.jgit:org.eclipse.jgit:6.10.1.202505221210-r;org.eclipse.jgit:org.eclipse.jgit:7.1.1.202505221757-r;https://github.com/eclipse-jgit/jgit.git - v7.2.1.202505142326-r;https://github.com/eclipse-jgit/jgit.git - null;https://github.com/eclipse-jgit/jgit.git - v7.0.1.202505221510-r;https://github.com/eclipse-jgit/jgit.git - v6.10.1.202505221210-r;https://github.com/eclipse-jgit/jgit.git - v7.1.1.202505221757-r
CVSS v3.1
| Base Score: |
|
|---|---|
| Attack Vector (AV): | NETWORK |
| Attack Complexity (AC): | LOW |
| Privileges Required (PR): | NONE |
| User Interaction (UI): | NONE |
| Scope (S): | UNCHANGED |
| Confidentiality (C): | HIGH |
| Integrity (I): | HIGH |
| Availability (A): | HIGH |