CVE-2025-4949
MEDIUM EPSS 60.9%
Published May 21, 20251y ago · Modified Jun 17, 20261w ago
6.8 CVSS 4.0
Published May 21, 2025 1y ago
Last Modified Jun 17, 2026 1w ago
Description
In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:D/RE:L/U:Green Attack Vector Network
Attack Complexity High
Privileges Required Low
User Interaction A
Scope N
Threat Intelligence
EPSS Exploit Probability
60.9% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available
Weaknesses 2
CWE-611
CWE-827
Affected Products 5
References 7
- gitlab.eclipse.org https://gitlab.eclipse.org/security/cve-assignement/-/issues/64
- gitlab.eclipse.org https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/281
- projects.eclipse.org https://projects.eclipse.org/projects/technology.jgit/releases/5.13.4
- projects.eclipse.org https://projects.eclipse.org/projects/technology.jgit/releases/6.10.1
- projects.eclipse.org https://projects.eclipse.org/projects/technology.jgit/releases/7.0.1
- projects.eclipse.org https://projects.eclipse.org/projects/technology.jgit/releases/7.1.1
- projects.eclipse.org https://projects.eclipse.org/projects/technology.jgit/releases/7.2.1
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.