GHSA-j24h-xcpc-9jw8

Suggest an improvement
Source
https://github.com/advisories/GHSA-j24h-xcpc-9jw8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-j24h-xcpc-9jw8/GHSA-j24h-xcpc-9jw8.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-j24h-xcpc-9jw8
Aliases
Published
2023-11-30T19:52:54Z
Modified
2024-12-03T06:08:39.967584Z
Severity
  • 5.0 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Eclipse IDE XXE in eclipse.platform
Details

Impact

xml files like ".project" are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch).

Vulnerablility was found by static code analysis (SonarLint).

Example .project file:

<?xml version="1.0" encoding="utf-8"?> 
<!DOCTYPE price [
<!ENTITY xxe SYSTEM "http://127.0.0.1:49416/evil">]>
<projectDescription>
    <name>p</name>
    <comment>&xxe;</comment>
</projectDescription>

Patches

Similar patches including junit test that shows the vulnerability have already applied to PDE (see https://github.com/eclipse-pde/eclipse.pde/pull/667). A solution to platform should be the same: just reject parsing any XML that contains any DOCTYPE.

Workarounds

No known workaround. User can only avoid to get/open any foreign files with eclipse. Firewall rules against loss of data (but not against XML bomb).

References

https://cwe.mitre.org/data/definitions/611.html https://rules.sonarsource.com/java/RSPEC-2755 https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/8 (Report for multiple projects affected)

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-30T19:52:54Z"
}
References

Affected packages

Maven / org.eclipse.platform:org.eclipse.core.runtime

Package

Name
org.eclipse.platform:org.eclipse.core.runtime
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.platform/org.eclipse.core.runtime

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.29.0

Affected versions

3.*

3.12.0
3.13.0
3.14.0
3.15.0
3.15.100
3.15.200
3.15.300
3.16.0
3.17.0
3.17.100
3.18.0
3.19.0
3.20.0
3.20.100
3.22.0
3.23.0
3.24.0
3.24.100
3.25.0
3.26.0
3.26.100
3.27.0

Maven / org.eclipse.platform:org.eclipse.platform

Package

Name
org.eclipse.platform:org.eclipse.platform
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.platform/org.eclipse.platform

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.29.0

Affected versions

4.*

4.6.2
4.6.3
4.7.0
4.7.1
4.7.2
4.7.3
4.8.0
4.9.0
4.10.0
4.11.0
4.12.0
4.13.0
4.14.0
4.15.0
4.16.0
4.17.0
4.18.0
4.19.0
4.20.0
4.21.0
4.22.0
4.23.0
4.24.0
4.25.0
4.26.0
4.27.0
4.28.0

Maven / org.eclipse.platform:org.eclipse.jface

Package

Name
org.eclipse.platform:org.eclipse.jface
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.platform/org.eclipse.jface

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.31.0

Affected versions

3.*

3.12.1
3.12.2
3.13.0
3.13.1
3.13.2
3.14.0
3.14.100
3.15.0
3.15.100
3.16.0
3.17.0
3.18.0
3.19.0
3.20.0
3.21.0
3.22.0
3.22.100
3.22.200
3.23.0
3.24.0
3.25.0
3.26.0
3.27.0
3.28.0
3.29.0
3.30.0

Maven / org.eclipse.platform:org.eclipse.ui.forms

Package

Name
org.eclipse.platform:org.eclipse.ui.forms
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.platform/org.eclipse.ui.forms

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.13.0

Affected versions

3.*

3.7.0
3.7.1
3.7.100
3.7.101
3.7.200
3.7.300
3.7.400
3.7.500
3.8.0
3.8.100
3.8.200
3.9.0
3.9.100
3.10.0
3.11.0
3.11.100
3.11.200
3.11.300
3.11.400
3.11.500
3.11.600
3.12.0

Maven / org.eclipse.platform:org.eclipse.ui.ide

Package

Name
org.eclipse.platform:org.eclipse.ui.ide
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.platform/org.eclipse.ui.ide

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.21.100

Affected versions

3.*

3.12.2
3.12.3
3.13.0
3.13.1
3.14.0
3.14.100
3.14.200
3.15.0
3.15.200
3.16.0
3.16.100
3.17.0
3.17.100
3.17.200
3.18.0
3.18.100
3.18.200
3.18.300
3.18.400
3.18.500
3.19.0
3.19.100
3.20.0
3.20.100
3.21.0

Maven / org.eclipse.platform:org.eclipse.ui.workbench

Package

Name
org.eclipse.platform:org.eclipse.ui.workbench
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.platform/org.eclipse.ui.workbench

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.130.0

Affected versions

3.*

3.108.2
3.108.3
3.110.0
3.110.1
3.111.0
3.112.0
3.112.100
3.113.0
3.115.0
3.116.0
3.117.0
3.118.0
3.119.0
3.120.0
3.122.0
3.122.100
3.122.200
3.123.0
3.124.0
3.125.0
3.125.100
3.126.0
3.127.0
3.128.0
3.129.0

Maven / org.eclipse.platform:org.eclipse.urischeme

Package

Name
org.eclipse.platform:org.eclipse.urischeme
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.platform/org.eclipse.urischeme

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.3.100

Affected versions

1.*

1.0.0
1.0.100
1.0.200
1.0.300
1.0.400
1.0.500
1.0.600
1.1.0
1.1.100
1.1.200
1.1.300
1.1.400
1.2.0
1.2.100
1.2.200
1.2.300
1.3.0

Maven / org.eclipse.jdt:org.eclipse.jdt.ui

Package

Name
org.eclipse.jdt:org.eclipse.jdt.ui
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.jdt/org.eclipse.jdt.ui

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.30.0

Affected versions

3.*

3.12.2
3.13.0
3.13.50
3.13.51
3.13.52
3.13.100
3.14.0
3.15.0
3.16.0
3.17.0
3.18.0
3.19.0
3.20.0
3.21.0
3.21.100
3.21.200
3.22.0
3.22.100
3.23.0
3.24.0
3.25.0
3.26.0
3.26.100
3.27.0
3.27.100
3.28.0
3.29.0