XXE in eclipse.platform / Eclipse IDE
Please add project leads to confirm this:
Basic information
Project name: Eclipse Platform, Eclipse IDE
Project id: eclipse.platform
Request type: publication
Versions affected: org.eclipse.core.runtime < 3.29.0, Eclipse IDE < 4.29, Eclipse IDE < 2023-09
Common Weakness Enumeration:
Common Vulnerability Scoring System: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Summary:
In Eclipse IDE versions < 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch).
Links:
- https://github.com/eclipse-pde/eclipse.pde/pull/632/
- https://github.com/eclipse-pde/eclipse.pde/pull/667/
- https://github.com/eclipse-platform/eclipse.platform/pull/761
- https://github.com/eclipse-platform/eclipse.platform.releng.buildtools/pull/45
- https://github.com/eclipse-platform/eclipse.platform.ui/commit/f243cf0a28785b89b7c50bf4e1cce48a917d89bd
- https://github.com/eclipse-jdt/eclipse.jdt.ui/commit/13675b1f8a74f47de4da89ed0ded6af7c21dfbec (eclipse.jdt.ui)
- https://github.com/eclipse-jdt/eclipse.jdt.core/commit/38dd2a878f45cdb3d8d52090f1d6d1b532fd4c4d
- https://github.com/eclipse-emf/org.eclipse.emf/issues/10
- https://github.com/eclipse-platform/eclipse.platform.swt/commit/bf71db5ddcb967c0863dad4745367b54f49e06ba
- https://github.com/eclipse-cdt/cdt/commit/c7169b3186d2fef20f97467c3e2ad78e2943ed1b
- vulnerability-reports#8 (closed)
Tracking
This section will completed by the project team.
-
Reserve an entry only -
We're ready for this issue to be reported to the central authority (i.e., make this public now)
Note that for those projects that host their repositories on GitHub, the use of GitHub Security Advisories is recommended but is not required.
This section will be completed by the EMO.
CVE: {cve}
-
All required information is provided -
CVE Assigned -
Pushed to Mitre