request CVE for XXE in org.eclipse.pde

The Eclipse Foundation is a Common Vulnerabilities and Exposures (CVE) Numbering Authority. This issue it used to request and track the progress of the assignment of a CVE for a vulnerability in the project code for an Eclipse open source project.

Basic information

Project name: Eclipse PDE - Plug-in Development Environment

Project id: eclipse.pde

Request type: reservation

Versions affected: org.eclipse.pde up to 3.13.2400 (Included in Eclipse IDE up to 2023-06)

Common Weakness Enumeration:

• {CWE-611} CWE-611: Improper Restriction of XML External Entity Reference

Summary:

In Eclipse PDE - Plug-in Development Environment (org.eclipse.pde) version up to 3.13.2400 xml files (like META-INF/MANIFEST.XML) can be used to access external entities.

Links:

• vulnerability-reports#8 (closed)
• https://github.com/eclipse-pde/eclipse.pde/pull/634
• https://github.com/eclipse-pde/eclipse.pde/pull/633
• https://github.com/eclipse-pde/eclipse.pde/pull/632

Tracking

This section will completed by the project team.

• Reserve an entry only
• We're ready for this issue to be reported to the central authority (i.e., make this public now)
• (when applicable) The GitHub Security Advisory is ready to be published now

Note that for those projects that host their repositories on GitHub, the use of GitHub Security Advisories is recommended but is not required.

This section will be completed by the EMO.

CVE: {cve}

• All required information is provided
• CVE Assigned
• Pushed to Mitre
• Accepted by Mitre

assigned to @mrybczyn

We'll use CVE-2023-3594

For now the issue is only reserved, there is no public content. Please tell us when you would like to publish it.

mentioned in issue vulnerability-reports#8 (closed)

@mbarbero can you provide an CVSS?

@jkubitz I propose: Either CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (if only selected files can be accessed) or CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (if any file can be accessed)

Our Secuirty officer said it's CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Any locally file can be accessed and send to any local accessible remote via http.

If any file can be accessed then I agree with CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

one more question: what is "the" relevant version number of the software? Affected is for example Eclipse 2023-06 4.28 with a lot of plugin's that all have separate version numbers in their manifest. For example:

We can list multiple configurations, so multiple software modules affected. Please list all modules that include the vulnerable code with the version that has a fix and I will do a lookup for relevant CPEs (the product names we use in CVEs).

Do you plan to do a Platform release with fixes?

"Do you plan to do a Platform release with fixes?" i don't know what that is. I am only used to commit things and wait for the next regular release.

One more question about version number. For example "org.eclipse.jdt.launching" is affected and it has the version 3.20.100.qualifier In the next release normally the major, minor parts "3.20" will stay the same, because no API is added. is that ok for security fixes too?

I will follow-up on the release separately.

For a security release, only changing the last version part is OK. 3.20.200 would be a perfect security release, suggesting that there are only fixes and no API changes.

Finally we'll use CVE-2023-4218 for all issues. I'm closing this one.

closed

made the issue visible to everyone

Removing the confidential flag, CVE-2023-4218 has been published