Headline
CVE-2023-4218: XXE in eclipse IDE (#8) · Issues · Eclipse Projects Security / vulnerability-reports · GitLab
In Eclipse IDE versions < 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch).
Skip to content
GitLab
XXE in eclipse IDE
Basic information
Project name: org.eclipse.pde org.eclipse.jdt org.eclipse.platform org.eclipse.osgi
Project id: {id}
What are the affected versions?
probably all
Details of the issue
SonarLint reports many possible XXE attacks in eclipse IDE’s sourcecode. for example:
Steps to reproduce
Don’t know. Probably manipulating development xml-files like "build.xml", "plugin.xml", "feature.xml", ".polyglot.feature.xml", … which should be normally self contained and do not require access from external sources.
Do you know any mitigations of the issue?
https://rules.sonarsource.com/java/RSPEC-2755 recommends to replace “SAXParserFactory.newInstance();” with code that disables external access by properties see also https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
Related news
### Impact xml files like ".project" are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch). Vulnerablility was found by static code analysis (SonarLint). Example `.project` file: ``` <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE price [ <!ENTITY xxe SYSTEM "http://127.0.0.1:49416/evil">]> <projectDescription> <name>p</name> <comment>&xxe;</comment> </projectDescription> ``` ### Patches Similar patches including junit test that shows the vulnerability have already applied to PDE (see https://github.com/eclipse-pde/eclipse.pde/pull/667). A solution to platform should be the same: just reject parsing any XML that contains any `DOCTYPE`. ### Workarounds No known workaround. User can only avoid to get/open any foreign files with eclipse. Firewall rules against loss of data (but not against XML bomb). ### References https://cwe.mit...