Eclipse JGit™: Java implementation of Git 4.9.6
Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive "git clone" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.
JGit itself is not affected by this vulnerability. This release implements validation of .gitmodules files in JGit to protect unguarded tools.
- BaseReceivePack: Validate incoming .gitmodules files and reject submodule urls starting with '-' that could pass as options to an unguarded tool
- ObjectChecker: Report .gitmodules files found in the pack
- SubmoduleAddCommand: Reject submodule URIs that look like command line options
Conforms To UI/UX Guidelines: