Vulnerability Description
In Eclipse IDE versions < 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch).
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Eclipse | Eclipse Ide | < 4.29 |
| Eclipse | Org.Eclipse.Core.Runtime | < 3.29.0 |
| Eclipse | Pde | < 3.13.2400 |
Related Weaknesses (CWE)
References
- https://github.com/eclipse-cdt/cdt/commit/c7169b3186d2fef20f97467c3e2ad78e2943edPatch
- https://github.com/eclipse-emf/org.eclipse.emf/issues/10Issue TrackingThird Party Advisory
- https://github.com/eclipse-jdt/eclipse.jdt.core/commit/38dd2a878f45cdb3d8d52090fPatch
- https://github.com/eclipse-jdt/eclipse.jdt.ui/commit/13675b1f8a74f47de4da89ed0dePatch
- https://github.com/eclipse-pde/eclipse.pde/pull/632/Patch
- https://github.com/eclipse-pde/eclipse.pde/pull/667/Patch
- https://github.com/eclipse-platform/eclipse.platform.releng.buildtools/pull/45Patch
- https://github.com/eclipse-platform/eclipse.platform.swt/commit/bf71db5ddcb967c0Patch
- https://github.com/eclipse-platform/eclipse.platform.ui/commit/f243cf0a28785b89bPatch
- https://github.com/eclipse-platform/eclipse.platform/pull/761Patch
- https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/8ExploitIssue TrackingVendor Advisory
- https://github.com/eclipse-cdt/cdt/commit/c7169b3186d2fef20f97467c3e2ad78e2943edPatch
- https://github.com/eclipse-emf/org.eclipse.emf/issues/10Issue TrackingThird Party Advisory
- https://github.com/eclipse-jdt/eclipse.jdt.core/commit/38dd2a878f45cdb3d8d52090fPatch
- https://github.com/eclipse-jdt/eclipse.jdt.ui/commit/13675b1f8a74f47de4da89ed0dePatch
FAQ
What is CVE-2023-4218?
CVE-2023-4218 is a vulnerability with a CVSS score of 5.0 (MEDIUM). In Eclipse IDE versions < 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with...
How severe is CVE-2023-4218?
CVE-2023-4218 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-4218?
Check the references section above for vendor advisories and patch information. Affected products include: Eclipse Eclipse Ide, Eclipse Org.Eclipse.Core.Runtime, Eclipse Pde.