CVE-2023-4218

XXE in eclipse.platform / Eclipse IDE

Severity Score

5.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

In Eclipse IDE versions < 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch).

En las versiones de Eclipse IDE <2023-09 (4.29), algunos archivos con contenido xml se analizan como vulnerables a todo tipo de ataques XXE. El usuario sólo necesita abrir cualquier proyecto maligno o actualizar un proyecto abierto con un archivo vulnerable (por ejemplo, para revisar un repositorio o parche externo).

*Credits: Jörg Kubitz

CVSS Scores

NISTv3.1 5.0

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2023-08-08 CVE Reserved
2023-11-09 CVE Published
2023-11-25 EPSS Updated
2024-09-03 CVE Updated
2024-09-03 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-611: Improper Restriction of XML External Entity Reference

CAPEC

References (11)

URL	Tag	Source
https://github.com/eclipse-emf/org.eclipse.emf/issues/10	Issue Tracking

URL	Date	SRC
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/8	2024-09-03

URL	Date	SRC
https://github.com/eclipse-cdt/cdt/commit/c7169b3186d2fef20f97467c3e2ad78e2943ed1b	2023-11-24
https://github.com/eclipse-jdt/eclipse.jdt.core/commit/38dd2a878f45cdb3d8d52090f1d6d1b532fd4c4d	2023-11-24
https://github.com/eclipse-jdt/eclipse.jdt.ui/commit/13675b1f8a74f47de4da89ed0ded6af7c21dfbec	2023-11-24
https://github.com/eclipse-pde/eclipse.pde/pull/632	2023-11-24
https://github.com/eclipse-pde/eclipse.pde/pull/667	2023-11-24
https://github.com/eclipse-platform/eclipse.platform.releng.buildtools/pull/45	2023-11-24
https://github.com/eclipse-platform/eclipse.platform.swt/commit/bf71db5ddcb967c0863dad4745367b54f49e06ba	2023-11-24
https://github.com/eclipse-platform/eclipse.platform.ui/commit/f243cf0a28785b89b7c50bf4e1cce48a917d89bd	2023-11-24
https://github.com/eclipse-platform/eclipse.platform/pull/761	2023-11-24

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Eclipse Search vendor "Eclipse"		Eclipse Ide Search vendor "Eclipse" for product "Eclipse Ide"				< 4.29 Search vendor "Eclipse" for product "Eclipse Ide" and version " < 4.29"		-		Affected
Eclipse Search vendor "Eclipse"		Org.eclipse.core.runtime Search vendor "Eclipse" for product "Org.eclipse.core.runtime"				< 3.29.0 Search vendor "Eclipse" for product "Org.eclipse.core.runtime" and version " < 3.29.0"		-		Affected
Eclipse Search vendor "Eclipse"		Pde Search vendor "Eclipse" for product "Pde"				< 3.13.2400 Search vendor "Eclipse" for product "Pde" and version " < 3.13.2400"		-		Affected