Bug 2367730 (CVE-2025-4949)

Summary: CVE-2025-4949 org.eclipse.jgit: XXE vulnerability in Eclipse JGit
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, adupliak, aschwart, asoldano, ataylor, bbaranow, bmaxwell, boliveir, brian.stansberry, cdewolf, chfoley, cmah, cmiranda, darran.lofthouse, dbruscin, dhanak, dkreling, dosoudil, drosa, eaguilar, ebaron, eric.wittmann, fjuma, fmariani, gmalinko, ibek, istudens, ivassile, iweiss, janstey, jcantril, jolong, jpoth, jrokos, jscholz, kvanderr, kverlaen, lgao, mnovotny, mosmerov, mposolda, msochure, msvehla, nipatil, nwallace, pantinor, pbizzarr, pcongius, pdelbell, periklis, pesilva, pjindal, pmackay, porcelli, rguimara, rkieley, rkubis, rmartinc, rojacob, rstancel, rstepani, sausingh, sfroberg, smaestri, ssilvert, sthorger, swoodman, tcunning, tom.jenkinson, vmuzikar, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Eclipse JGit. This vulnerability can allow information disclosure, denial of service, and other security issues when parsing XML files.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2367747    
Bug Blocks:    

Description OSIDB Bzimport 2025-05-21 07:01:12 UTC 
In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.
Comment 3 errata-xmlrpc 2025-10-14 17:59:07 UTC 
This issue has been addressed in the following products:

  Red Hat build of Apache Camel 4.10.7 for Spring Boot 3.4.10

Via RHSA-2025:18028 https://access.redhat.com/errata/RHSA-2025:18028
Comment 5 errata-xmlrpc 2025-11-26 16:55:34 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8

Via RHSA-2025:22187 https://access.redhat.com/errata/RHSA-2025:22187
Comment 6 errata-xmlrpc 2025-11-26 16:56:00 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9

Via RHSA-2025:22188 https://access.redhat.com/errata/RHSA-2025:22188
Comment 7 errata-xmlrpc 2025-11-26 17:02:40 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8

Via RHSA-2025:22190 https://access.redhat.com/errata/RHSA-2025:22190
Comment 8 errata-xmlrpc 2025-12-04 15:56:27 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Via RHSA-2025:22773 https://access.redhat.com/errata/RHSA-2025:22773
Comment 9 errata-xmlrpc 2025-12-04 15:56:49 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Via RHSA-2025:22775 https://access.redhat.com/errata/RHSA-2025:22775
Comment 10 errata-xmlrpc 2025-12-04 15:57:18 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0

Via RHSA-2025:22777 https://access.redhat.com/errata/RHSA-2025:22777