GHSA-J24H-XCPC-9JW8

Vulnerability from github – Published: 2023-11-30 19:52 – Updated: 2024-03-05 21:36
VLAI?
Summary
Eclipse IDE XXE in eclipse.platform
Details

Impact

xml files like ".project" are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch).

Vulnerablility was found by static code analysis (SonarLint).

Example .project file:

<?xml version="1.0" encoding="utf-8"?> 
<!DOCTYPE price [
<!ENTITY xxe SYSTEM "http://127.0.0.1:49416/evil">]>
<projectDescription>
    <name>p</name>
    <comment>&xxe;</comment>
</projectDescription>

Patches

Similar patches including junit test that shows the vulnerability have already applied to PDE (see https://github.com/eclipse-pde/eclipse.pde/pull/667). A solution to platform should be the same: just reject parsing any XML that contains any DOCTYPE.

Workarounds

No known workaround. User can only avoid to get/open any foreign files with eclipse. Firewall rules against loss of data (but not against XML bomb).

References

https://cwe.mitre.org/data/definitions/611.html https://rules.sonarsource.com/java/RSPEC-2755 https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/8 (Report for multiple projects affected)

Severity ?
5.0 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.platform:org.eclipse.core.runtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.29.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.platform:org.eclipse.platform"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.29.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.platform:org.eclipse.jface"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.31.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.platform:org.eclipse.ui.forms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.13.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.platform:org.eclipse.ui.ide"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.21.100"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.platform:org.eclipse.ui.workbench"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.130.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.platform:org.eclipse.urischeme"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.100"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.jdt:org.eclipse.jdt.ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.30.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-4218"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-30T19:52:54Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\nxml files like \".project\" are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review  a foreign repository or patch).\n\nVulnerablility was found by static code analysis (SonarLint).\n\nExample `.project` file:\n```\n\u003c?xml version=\"1.0\" encoding=\"utf-8\"?\u003e \n\u003c!DOCTYPE price [\n\u003c!ENTITY xxe SYSTEM \"http://127.0.0.1:49416/evil\"\u003e]\u003e\n\u003cprojectDescription\u003e\n\t\u003cname\u003ep\u003c/name\u003e\n\t\u003ccomment\u003e\u0026xxe;\u003c/comment\u003e\n\u003c/projectDescription\u003e\n```\n\n### Patches\nSimilar patches including junit test that shows the vulnerability have already applied to PDE (see https://github.com/eclipse-pde/eclipse.pde/pull/667). A solution to platform should be the same: just reject parsing any XML that contains any `DOCTYPE`.\n\n### Workarounds\nNo known workaround. User can only avoid to get/open any foreign files with eclipse. Firewall rules against loss of data (but not against XML bomb).\n\n### References\nhttps://cwe.mitre.org/data/definitions/611.html\nhttps://rules.sonarsource.com/java/RSPEC-2755\nhttps://gitlab.eclipse.org/security/vulnerability-reports/-/issues/8 (Report for multiple projects affected)\n\n",
  "id": "GHSA-j24h-xcpc-9jw8",
  "modified": "2024-03-05T21:36:55Z",
  "published": "2023-11-30T19:52:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/eclipse-platform/eclipse.platform/security/advisories/GHSA-j24h-xcpc-9jw8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4218"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse-emf/org.eclipse.emf/issues/10"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse-pde/eclipse.pde/pull/632"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse-pde/eclipse.pde/pull/667"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse-platform/eclipse.platform.releng.buildtools/pull/45"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse-platform/eclipse.platform/pull/761"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse-cdt/cdt/commit/c7169b3186d2fef20f97467c3e2ad78e2943ed1b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse-jdt/eclipse.jdt.core/commit/38dd2a878f45cdb3d8d52090f1d6d1b532fd4c4d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse-jdt/eclipse.jdt.ui/commit/13675b1f8a74f47de4da89ed0ded6af7c21dfbec"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse-platform/eclipse.platform.swt/commit/bf71db5ddcb967c0863dad4745367b54f49e06ba"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse-platform/eclipse.platform.ui/commit/f243cf0a28785b89b7c50bf4e1cce48a917d89bd"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse-platform/eclipse.platform/commit/5dc372a0c5002b7f22e5d49eaa1cbf0916455daf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/eclipse-platform/eclipse.platform"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Eclipse IDE XXE in eclipse.platform"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.