Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-4218: XXE in eclipse IDE (#8) · Issues · Eclipse Projects Security / vulnerability-reports · GitLab

In Eclipse IDE versions < 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch).

CVE
#vulnerability#git#java

Skip to content

GitLab

XXE in eclipse IDE

Basic information

Project name: org.eclipse.pde org.eclipse.jdt org.eclipse.platform org.eclipse.osgi

Project id: {id}

What are the affected versions?

probably all

Details of the issue

SonarLint reports many possible XXE attacks in eclipse IDE’s sourcecode. for example:

Steps to reproduce

Don’t know. Probably manipulating development xml-files like "build.xml", "plugin.xml", "feature.xml", ".polyglot.feature.xml", … which should be normally self contained and do not require access from external sources.

Do you know any mitigations of the issue?

https://rules.sonarsource.com/java/RSPEC-2755 recommends to replace “SAXParserFactory.newInstance();” with code that disables external access by properties see also https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html

Related news

GHSA-j24h-xcpc-9jw8: Eclipse IDE XXE in eclipse.platform

### Impact xml files like ".project" are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch). Vulnerablility was found by static code analysis (SonarLint). Example `.project` file: ``` <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE price [ <!ENTITY xxe SYSTEM "http://127.0.0.1:49416/evil">]> <projectDescription> <name>p</name> <comment>&xxe;</comment> </projectDescription> ``` ### Patches Similar patches including junit test that shows the vulnerability have already applied to PDE (see https://github.com/eclipse-pde/eclipse.pde/pull/667). A solution to platform should be the same: just reject parsing any XML that contains any `DOCTYPE`. ### Workarounds No known workaround. User can only avoid to get/open any foreign files with eclipse. Firewall rules against loss of data (but not against XML bomb). ### References https://cwe.mit...

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907