Eclipse JGit XML External Entity Vulnerability in ManifestParser and AmazonS3 Classes

A vulnerability allowing XML External Entity (XXE) attacks has been identified in Eclipse JGit versions 7.2.0.202503040940-r and earlier. The issue resides in the ManifestParser class, used by the repo command, and the AmazonS3 class, which implements the experimental amazons3 git transport protocol for storing git pack files in an Amazon S3 bucket. Both classes parse XML files without properly disabling external entity processing, potentially leading to information disclosure, denial of service, and other security issues.

Impact

Exploitation of this vulnerability can cause XML External Entity (XXE) attacks, allowing attackers to read local files or conduct denial-of-service attacks by causing the application to process large amounts of data or resources.

Reproduction

The vulnerability can be reproduced by adding a test case to the ManifestParserTest class. This test case should create a malicious XML file that includes a DOCTYPE declaration referencing an external entity. When the ManifestParser processes this XML, it will attempt to access the external entity, demonstrating the XXE vulnerability. The same exploitation method can be applied to the AmazonS3 class when it parses XML responses from S3 that an attacker controls.

Remediation

Users can upgrade to Eclipse JGit versions 7.2.1.202505221210-r, 7.0.1.202505221510-r, 7.1.1.202505221757-r or 6.10.1.202505221210-r, all of which include the necessary fix. Instructions for downloading these versions are available on the Eclipse JGit release page.