{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-4949", "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "state": "PUBLISHED", "assignerShortName": "eclipse", "dateReserved": "2025-05-19T07:02:22.381Z", "datePublished": "2025-05-21T06:47:19.777Z", "dateUpdated": "2025-05-23T07:00:45.737Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://projects.eclipse.org", "defaultStatus": "unaffected", "product": "Eclipse JGit", "repo": "https://github.com/eclipse-jgit/jgit", "vendor": "Eclipse JGit", "versions": [{"lessThan": "7.2.1.202505142326-r", "status": "affected", "version": "7.2.0", "versionType": "osgi"}, {"lessThan": "7.1.1.202505221757-r", "status": "affected", "version": "7.1.0", "versionType": "osgi"}, {"lessThan": "7.0.1.202505221510-r", "status": "affected", "version": "7.0.0", "versionType": "osgi"}, {"lessThan": "6.10.1.202505221210-r", "status": "affected", "version": "0", "versionType": "osgi"}]}, {"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "pkg:maven/org.eclipse.jgit/org.eclipse.jgit", "product": "Eclipse JGit", "repo": "https://github.com/eclipse-jgit/jgit", "vendor": "Eclipse JGit", "versions": [{"lessThan": "7.2.1.202505142326-r", "status": "affected", "version": "7.2.0", "versionType": "osgi"}, {"lessThan": "7.1.1.202505221757-r", "status": "affected", "version": "7.1.0", "versionType": "osgi"}, {"lessThan": "7.0.1.202505221510-r", "status": "affected", "version": "7.0.0", "versionType": "osgi"}, {"lessThan": "6.10.1.202505221210-r", "status": "affected", "version": "0", "versionType": "osgi"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Simon Gerst (intrigus-lgtm) https://intrigus.org"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In Eclipse JGit versions 7.2.0.202503040940-r and older, the <code>ManifestParser</code> class used by the <code>repo</code> command and the <code>AmazonS3</code> class used to implement the experimental <code>amazons3</code> git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues."}], "value": "In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues."}], "impacts": [{"capecId": "CAPEC-201", "descriptions": [{"lang": "en", "value": "CAPEC-201 Serialized Data External Linking"}]}], "metrics": [{"cvssV4_0": {"Automatable": "YES", "Recovery": "USER", "Safety": "NEGLIGIBLE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 6.8, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "GREEN", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/S:N/AU:Y/R:U/V:D/RE:L/U:Green", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "LOW"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL."}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-611", "description": "CWE-611 Improper Restriction of XML External Entity Reference", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-827", "description": "CWE-827 Improper Control of Document Type Definition", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse", "dateUpdated": "2025-05-23T07:00:45.737Z"}, "references": [{"tags": ["release-notes"], "url": "https://projects.eclipse.org/projects/technology.jgit/releases/7.2.1"}, {"tags": ["release-notes"], "url": "https://projects.eclipse.org/projects/technology.jgit/releases/7.1.1"}, {"tags": ["release-notes"], "url": "https://projects.eclipse.org/projects/technology.jgit/releases/7.0.1"}, {"tags": ["release-notes"], "url": "https://projects.eclipse.org/projects/technology.jgit/releases/6.10.1"}, {"tags": ["issue-tracking"], "url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/281"}, {"tags": ["issue-tracking"], "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/64"}], "source": {"discovery": "EXTERNAL"}, "title": "XXE vulnerability in Eclipse JGit", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"references": [{"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/281", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-21T10:22:48.944398Z", "id": "CVE-2025-4949", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-21T10:24:58.815Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-4949", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-21T10:22:48.944398Z"}}}], "references": [{"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/281", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-21T10:24:46.428Z"}}], "cna": {"title": "XXE vulnerability in Eclipse JGit", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "Simon Gerst (intrigus-lgtm) https://intrigus.org"}], "impacts": [{"capecId": "CAPEC-201", "descriptions": [{"lang": "en", "value": "CAPEC-201 Serialized Data External Linking"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NEGLIGIBLE", "version": "4.0", "Recovery": "USER", "baseScore": 6.8, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/S:N/AU:Y/R:U/V:D/RE:L/U:Green", "providerUrgency": "GREEN", "userInteraction": "ACTIVE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL."}]}], "affected": [{"repo": "https://github.com/eclipse-jgit/jgit", "vendor": "Eclipse JGit", "product": "Eclipse JGit", "versions": [{"status": "affected", "version": "7.2.0", "lessThan": "7.2.1.202505142326-r", "versionType": "osgi"}, {"status": "affected", "version": "7.1.0", "lessThan": "7.1.1.202505221757-r", "versionType": "osgi"}, {"status": "affected", "version": "7.0.0", "lessThan": "7.0.1.202505221510-r", "versionType": "osgi"}, {"status": "affected", "version": "0", "lessThan": "6.10.1.202505221210-r", "versionType": "osgi"}], "collectionURL": "https://projects.eclipse.org", "defaultStatus": "unaffected"}, {"repo": "https://github.com/eclipse-jgit/jgit", "vendor": "Eclipse JGit", "product": "Eclipse JGit", "versions": [{"status": "affected", "version": "7.2.0", "lessThan": "7.2.1.202505142326-r", "versionType": "osgi"}, {"status": "affected", "version": "7.1.0", "lessThan": "7.1.1.202505221757-r", "versionType": "osgi"}, {"status": "affected", "version": "7.0.0", "lessThan": "7.0.1.202505221510-r", "versionType": "osgi"}, {"status": "affected", "version": "0", "lessThan": "6.10.1.202505221210-r", "versionType": "osgi"}], "packageName": "pkg:maven/org.eclipse.jgit/org.eclipse.jgit", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}], "references": [{"url": "https://projects.eclipse.org/projects/technology.jgit/releases/7.2.1", "tags": ["release-notes"]}, {"url": "https://projects.eclipse.org/projects/technology.jgit/releases/7.1.1", "tags": ["release-notes"]}, {"url": "https://projects.eclipse.org/projects/technology.jgit/releases/7.0.1", "tags": ["release-notes"]}, {"url": "https://projects.eclipse.org/projects/technology.jgit/releases/6.10.1", "tags": ["release-notes"]}, {"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/281", "tags": ["issue-tracking"]}, {"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/64", "tags": ["issue-tracking"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.", "supportingMedia": [{"type": "text/html", "value": "In Eclipse JGit versions 7.2.0.202503040940-r and older, the <code>ManifestParser</code> class used by the <code>repo</code> command and the <code>AmazonS3</code> class used to implement the experimental <code>amazons3</code> git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-611", "description": "CWE-611 Improper Restriction of XML External Entity Reference"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-827", "description": "CWE-827 Improper Control of Document Type Definition"}]}], "providerMetadata": {"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse", "dateUpdated": "2025-05-23T07:00:45.737Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4949", "state": "PUBLISHED", "dateUpdated": "2025-05-23T07:00:45.737Z", "dateReserved": "2025-05-19T07:02:22.381Z", "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "datePublished": "2025-05-21T06:47:19.777Z", "assignerShortName": "eclipse"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:eclipse:jgit:*:*:*:*:*:*:*:*", "matchCriteriaId": "C9229A9D-23D4-410B-9455-3102CB366F10", "versionEndIncluding": "7.2.0.202503040940-r", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues."}, {"lang": "es", "value": "En las versiones 7.2.0.202503040940-r y anteriores de Eclipse JGit, la clase ManifestParser, utilizada por el comando repo, y la clase AmazonS3, utilizada para implementar el protocolo experimental de transporte de Git amazons3, que permite almacenar archivos de paquetes de Git en un bucket de Amazon S3, son vulnerables a ataques de Entidad Externa XML (XXE) al analizar archivos XML. Esta vulnerabilidad puede provocar divulgaci\u00f3n de informaci\u00f3n, denegaci\u00f3n de servicio y otros problemas de seguridad."}], "id": "CVE-2025-4949", "lastModified": "2025-06-17T14:10:34.853", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "YES", "Recovery": "USER", "Safety": "NEGLIGIBLE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "GREEN", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:D/RE:L/U:Green", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "LOW"}, "source": "emo@eclipse.org", "type": "Secondary"}]}, "published": "2025-05-21T07:16:01.397", "references": [{"source": "emo@eclipse.org", "tags": ["Vendor Advisory", "Issue Tracking"], "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/64"}, {"source": "emo@eclipse.org", "tags": ["Exploit", "Issue Tracking"], "url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/281"}, {"source": "emo@eclipse.org", "tags": ["Release Notes"], "url": "https://projects.eclipse.org/projects/technology.jgit/releases/6.10.1"}, {"source": "emo@eclipse.org", "tags": ["Release Notes"], "url": "https://projects.eclipse.org/projects/technology.jgit/releases/7.0.1"}, {"source": "emo@eclipse.org", "tags": ["Release Notes"], "url": "https://projects.eclipse.org/projects/technology.jgit/releases/7.1.1"}, {"source": "emo@eclipse.org", "tags": ["Release Notes"], "url": "https://projects.eclipse.org/projects/technology.jgit/releases/7.2.1"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking"], "url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/281"}], "sourceIdentifier": "emo@eclipse.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}, {"lang": "en", "value": "CWE-827"}], "source": "emo@eclipse.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "JGit: XXE vulnerability in Eclipse JGit", "id": "2367730", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2367730"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "(CWE-611|CWE-827)", "details": ["In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.", "A flaw was found in Eclipse JGit. This vulnerability can allow information disclosure, denial of service, and other security issues via parsing XML files."], "name": "CVE-2025-4949", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.http.apache", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:cryostat:3", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit", "product_name": "Cryostat 3"}, {"cpe": "cpe:/a:redhat:cryostat:4", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit", "product_name": "Cryostat 4"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Fix deferred", "package_name": "jenkins-2-plugins", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit", "product_name": "Red Hat build of Apicurio Registry 2"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.ssh.jsch", "product_name": "Red Hat build of Apicurio Registry 2"}, {"cpe": "cpe:/a:redhat:apicurio_registry:3", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit", "product_name": "Red Hat build of Apicurio Registry 3"}, {"cpe": "cpe:/a:redhat:apicurio_registry:3", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.ssh.jsch", "product_name": "Red Hat build of Apicurio Registry 3"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.archive", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.gpg.bc", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.http.apache", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.lfs", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.lfs.server", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.pgm", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.ssh.apache", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.ssh.jsch", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.ui", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.ssh.apache", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.ssh.jsch", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.ant", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.ant.test", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.archive", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.benchmarks", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.gpg.bc", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.gpg.bc.test", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.http.apache", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.http.server", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.http.test", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.junit", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.junit.http", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.junit.ssh", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.lfs", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.lfs.server", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.lfs.server.test", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.lfs.test", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit-org.eclipse.jgit-parent", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.pgm", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.pgm.test", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.ssh.apache", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.ssh.apache.test", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.ssh.jsch", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.ssh.jsch.test", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.test", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.ui", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.ant", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.ant.test", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.archive", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.benchmarks", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.gpg.bc", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.gpg.bc.test", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.http.apache", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.http.server", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.http.test", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.junit", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.junit.http", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.junit.ssh", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.lfs", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.lfs.server", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.lfs.server.test", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.lfs.test", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit-org.eclipse.jgit-parent", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.pgm", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.pgm.test", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.ssh.apache", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.ssh.apache.test", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.ssh.jsch", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.ssh.jsch.test", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.test", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.ui", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.ant", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.ant.test", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.archive", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.benchmarks", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.gpg.bc", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.gpg.bc.test", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.http.apache", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.http.server", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.http.test", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.junit", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.junit.http", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.junit.ssh", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.lfs", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.lfs.server", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.lfs.server.test", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.lfs.test", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit-org.eclipse.jgit-parent", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.pgm", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.pgm.test", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.ssh.apache", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.ssh.apache.test", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.ssh.jsch", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.ssh.jsch.test", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.test", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.ui", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.http.server", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.ssh.apache", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.ssh.jsch", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.ssh.apache", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit", "product_name": "streams for Apache Kafka"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.ssh.jsch", "product_name": "streams for Apache Kafka"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.ui", "product_name": "streams for Apache Kafka"}, {"cpe": "cpe:/a:redhat:amq_streams:2", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit", "product_name": "streams for Apache Kafka 2"}, {"cpe": "cpe:/a:redhat:amq_streams:2", "fix_state": "Fix deferred", "package_name": "org.eclipse.jgit.ssh.jsch", "product_name": "streams for Apache Kafka 2"}], "public_date": "2025-05-21T06:47:19Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-4949\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-4949\nhttps://gitlab.eclipse.org/security/cve-assignement/-/issues/64\nhttps://gitlab.eclipse.org/security/vulnerability-reports/-/issues/281\nhttps://projects.eclipse.org/projects/technology.jgit/releases/7.2.1"], "threat_severity": "Moderate"}