Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qMjRoLXhjcGMtOWp3OM4AA3d2
Eclipse IDE XXE in eclipse.platform
Impact
xml files like ".project" are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch).
Vulnerablility was found by static code analysis (SonarLint).
Example .project file:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE price [
<!ENTITY xxe SYSTEM "http://127.0.0.1:49416/evil">]>
<projectDescription>
<name>p</name>
<comment>&xxe;</comment>
</projectDescription>
Patches
Similar patches including junit test that shows the vulnerability have already applied to PDE (see https://github.com/eclipse-pde/eclipse.pde/pull/667). A solution to platform should be the same: just reject parsing any XML that contains any DOCTYPE.
Workarounds
No known workaround. User can only avoid to get/open any foreign files with eclipse. Firewall rules against loss of data (but not against XML bomb).
References
https://cwe.mitre.org/data/definitions/611.html
https://rules.sonarsource.com/java/RSPEC-2755
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/8 (Report for multiple projects affected)
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qMjRoLXhjcGMtOWp3OM4AA3d2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: 9 months ago
CVSS Score: 5.0
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Identifiers: GHSA-j24h-xcpc-9jw8, CVE-2023-4218
References:
- https://github.com/eclipse-platform/eclipse.platform/security/advisories/GHSA-j24h-xcpc-9jw8
- https://nvd.nist.gov/vuln/detail/CVE-2023-4218
- https://github.com/eclipse-emf/org.eclipse.emf/issues/10
- https://github.com/eclipse-platform/eclipse.platform.releng.buildtools/pull/45
- https://github.com/eclipse-platform/eclipse.platform/pull/761
- https://github.com/eclipse-cdt/cdt/commit/c7169b3186d2fef20f97467c3e2ad78e2943ed1b
- https://github.com/eclipse-jdt/eclipse.jdt.core/commit/38dd2a878f45cdb3d8d52090f1d6d1b532fd4c4d
- https://github.com/eclipse-jdt/eclipse.jdt.ui/commit/13675b1f8a74f47de4da89ed0ded6af7c21dfbec
- https://github.com/eclipse-platform/eclipse.platform.swt/commit/bf71db5ddcb967c0863dad4745367b54f49e06ba
- https://github.com/eclipse-platform/eclipse.platform.ui/commit/f243cf0a28785b89b7c50bf4e1cce48a917d89bd
- https://github.com/eclipse-platform/eclipse.platform/commit/5dc372a0c5002b7f22e5d49eaa1cbf0916455daf
- https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/8
- https://github.com/eclipse-pde/eclipse.pde/pull/632
- https://github.com/eclipse-pde/eclipse.pde/pull/667
- https://github.com/advisories/GHSA-j24h-xcpc-9jw8
Blast Radius: 10.8
Affected Packages
maven:org.eclipse.jdt:org.eclipse.jdt.ui
Dependent packages: 21Dependent repositories: 26
Downloads:
Affected Version Ranges: < 3.30.0
Fixed in: 3.30.0
All affected versions: 3.12.2, 3.13.0, 3.13.50, 3.13.51, 3.13.52, 3.13.100, 3.14.0, 3.15.0, 3.16.0, 3.17.0, 3.18.0, 3.19.0, 3.20.0, 3.21.0, 3.21.100, 3.21.200, 3.22.0, 3.22.100, 3.23.0, 3.24.0, 3.25.0, 3.26.0, 3.26.100, 3.27.0, 3.27.100, 3.28.0, 3.29.0
All unaffected versions: 3.30.0, 3.31.0, 3.32.0, 3.32.100, 3.33.0
maven:org.eclipse.platform:org.eclipse.urischeme
Dependent packages: 17Dependent repositories: 7
Downloads:
Affected Version Ranges: < 1.3.100
Fixed in: 1.3.100
All affected versions: 1.0.0, 1.0.100, 1.0.200, 1.0.300, 1.0.400, 1.0.500, 1.0.600, 1.1.0, 1.1.100, 1.1.200, 1.1.300, 1.1.400, 1.2.0, 1.2.100, 1.2.200, 1.2.300, 1.3.0
All unaffected versions: 1.3.100, 1.3.200, 1.3.300, 1.3.400
maven:org.eclipse.platform:org.eclipse.ui.workbench
Dependent packages: 28Dependent repositories: 33
Downloads:
Affected Version Ranges: < 3.130.0
Fixed in: 3.130.0
All affected versions: 3.108.2, 3.108.3, 3.110.0, 3.110.1, 3.111.0, 3.112.0, 3.112.100, 3.113.0, 3.115.0, 3.116.0, 3.117.0, 3.118.0, 3.119.0, 3.120.0, 3.122.0, 3.122.100, 3.122.200, 3.123.0, 3.124.0, 3.125.0, 3.125.100, 3.126.0, 3.127.0, 3.128.0, 3.129.0
All unaffected versions: 3.130.0, 3.131.0, 3.131.100, 3.132.0, 3.133.0
maven:org.eclipse.platform:org.eclipse.ui.ide
Dependent packages: 46Dependent repositories: 12
Downloads:
Affected Version Ranges: < 3.21.100
Fixed in: 3.21.100
All affected versions: 3.12.2, 3.12.3, 3.13.0, 3.13.1, 3.14.0, 3.14.100, 3.14.200, 3.15.0, 3.15.200, 3.16.0, 3.16.100, 3.17.0, 3.17.100, 3.17.200, 3.18.0, 3.18.100, 3.18.200, 3.18.300, 3.18.400, 3.18.500, 3.19.0, 3.19.100, 3.20.0, 3.20.100, 3.21.0
All unaffected versions: 3.21.100, 3.22.0, 3.22.100, 3.22.200, 3.22.300
maven:org.eclipse.platform:org.eclipse.ui.forms
Dependent packages: 37Dependent repositories: 5
Downloads:
Affected Version Ranges: < 3.13.0
Fixed in: 3.13.0
All affected versions: 3.7.0, 3.7.1, 3.7.100, 3.7.101, 3.7.200, 3.7.300, 3.7.400, 3.7.500, 3.8.0, 3.8.100, 3.8.200, 3.9.0, 3.9.100, 3.10.0, 3.11.0, 3.11.100, 3.11.200, 3.11.300, 3.11.400, 3.11.500, 3.11.600, 3.12.0
All unaffected versions: 3.13.0, 3.13.100, 3.13.200, 3.13.300
maven:org.eclipse.platform:org.eclipse.jface
Dependent packages: 68Dependent repositories: 80
Downloads:
Affected Version Ranges: < 3.31.0
Fixed in: 3.31.0
All affected versions: 3.12.1, 3.12.2, 3.13.0, 3.13.1, 3.13.2, 3.14.0, 3.14.100, 3.15.0, 3.15.100, 3.16.0, 3.17.0, 3.18.0, 3.19.0, 3.20.0, 3.21.0, 3.22.0, 3.22.100, 3.22.200, 3.23.0, 3.24.0, 3.25.0, 3.26.0, 3.27.0, 3.28.0, 3.29.0, 3.30.0
All unaffected versions: 3.31.0, 3.32.0, 3.33.0, 3.34.0, 3.35.0
maven:org.eclipse.platform:org.eclipse.platform
Dependent packages: 1Dependent repositories: 3
Downloads:
Affected Version Ranges: < 4.29.0
Fixed in: 4.29.0
All affected versions: 4.6.2, 4.6.3, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.8.0, 4.9.0, 4.10.0, 4.11.0, 4.12.0, 4.13.0, 4.14.0, 4.15.0, 4.16.0, 4.17.0, 4.18.0, 4.19.0, 4.20.0, 4.21.0, 4.22.0, 4.23.0, 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0
All unaffected versions: 4.29.0, 4.30.0, 4.31.100, 4.32.0, 4.33.0
maven:org.eclipse.platform:org.eclipse.core.runtime
Dependent packages: 291Dependent repositories: 144
Downloads:
Affected Version Ranges: < 3.29.0
Fixed in: 3.29.0
All affected versions: 3.12.0, 3.13.0, 3.14.0, 3.15.0, 3.15.100, 3.15.200, 3.15.300, 3.16.0, 3.17.0, 3.17.100, 3.18.0, 3.19.0, 3.20.0, 3.20.100, 3.22.0, 3.23.0, 3.24.0, 3.24.100, 3.25.0, 3.26.0, 3.26.100, 3.27.0
All unaffected versions: 3.29.0, 3.30.0, 3.31.0, 3.31.100