CVE-2023-4218 - OpenCVE

In Eclipse IDE versions < 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch).

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Eclipse	Eclipse Ide Org.eclipse.core.runtime Pde

Configuration 1 [-]

OR	cpe:2.3:a:eclipse:eclipse_ide::::::::
	cpe:2.3:a:eclipse:org.eclipse.core.runtime::::::::
	cpe:2.3:a:eclipse:pde::::::::

No data.

References

Link	Providers
https://github.com/eclipse-cdt/cdt/commit/c7169b3186d2fef20f97467c3e2ad78e2943ed1b
https://github.com/eclipse-emf/org.eclipse.emf/issues/10
https://github.com/eclipse-jdt/eclipse.jdt.core/commit/38dd2a878f45cdb3d8d52090f1d6d1b532fd4c4d
https://github.com/eclipse-jdt/eclipse.jdt.ui/commit/13675b1f8a74f47de4da89ed0ded6af7c21dfbec
https://github.com/eclipse-pde/eclipse.pde/pull/632/
https://github.com/eclipse-pde/eclipse.pde/pull/667/
https://github.com/eclipse-platform/eclipse.platform.releng.buildtools/pull/45
https://github.com/eclipse-platform/eclipse.platform.swt/commit/bf71db5ddcb967c0863dad4745367b54f49e06ba
https://github.com/eclipse-platform/eclipse.platform.ui/commit/f243cf0a28785b89b7c50bf4e1cce48a917d89bd
https://github.com/eclipse-platform/eclipse.platform/pull/761
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/8

History

No history.

MITRE

Status: PUBLISHED

Assigner: eclipse

Published: 2023-11-09T08:26:51.567Z

Updated: 2024-09-03T19:26:14.225Z

Reserved: 2023-08-08T06:06:20.616Z

Link: CVE-2023-4218

Vulnrichment

Updated: 2024-08-02T07:17:12.212Z

NVD

Status : Analyzed

Published: 2023-11-09T09:15:08.320

Modified: 2023-11-24T18:25:48.900

Link: CVE-2023-4218

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-4218", "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "state": "PUBLISHED", "assignerShortName": "eclipse", "dateReserved": "2023-08-08T06:06:20.616Z", "datePublished": "2023-11-09T08:26:51.567Z", "dateUpdated": "2024-09-03T19:26:14.225Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Eclipse IDE", "vendor": "Eclipse Foundation", "versions": [{"lessThan": "4.29", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "Eclipse IDE", "vendor": "Eclipse Foundation", "versions": [{"lessThan": "2023-09", "status": "affected", "version": "0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "org.eclipse.core.runtime", "vendor": "Eclipse Foundation", "versions": [{"lessThan": "3.29.0", "status": "affected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "org.eclipse.pde", "vendor": "Eclipse Foundation", "versions": [{"lessThanOrEqual": "3.13.2400", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "J\u00f6rg Kubitz"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In Eclipse IDE versions < 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch).<br>"}], "value": "In Eclipse IDE versions < 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch).\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-611", "description": "CWE-611 Improper Restriction of XML External Entity Reference", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse", "dateUpdated": "2023-11-09T08:26:51.567Z"}, "references": [{"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/8"}, {"url": "https://github.com/eclipse-pde/eclipse.pde/pull/632/"}, {"url": "https://github.com/eclipse-pde/eclipse.pde/pull/667/"}, {"url": "https://github.com/eclipse-platform/eclipse.platform/pull/761"}, {"url": "https://github.com/eclipse-platform/eclipse.platform.releng.buildtools/pull/45"}, {"url": "https://github.com/eclipse-platform/eclipse.platform.ui/commit/f243cf0a28785b89b7c50bf4e1cce48a917d89bd"}, {"url": "https://github.com/eclipse-jdt/eclipse.jdt.ui/commit/13675b1f8a74f47de4da89ed0ded6af7c21dfbec"}, {"url": "https://github.com/eclipse-jdt/eclipse.jdt.core/commit/38dd2a878f45cdb3d8d52090f1d6d1b532fd4c4d"}, {"url": "https://github.com/eclipse-emf/org.eclipse.emf/issues/10"}, {"url": "https://github.com/eclipse-platform/eclipse.platform.swt/commit/bf71db5ddcb967c0863dad4745367b54f49e06ba"}, {"url": "https://github.com/eclipse-cdt/cdt/commit/c7169b3186d2fef20f97467c3e2ad78e2943ed1b"}], "source": {"discovery": "UNKNOWN"}, "title": "XXE in eclipse.platform / Eclipse IDE", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:17:12.212Z"}, "title": "CVE Program Container", "references": [{"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/8", "tags": ["x_transferred"]}, {"url": "https://github.com/eclipse-pde/eclipse.pde/pull/632/", "tags": ["x_transferred"]}, {"url": "https://github.com/eclipse-pde/eclipse.pde/pull/667/", "tags": ["x_transferred"]}, {"url": "https://github.com/eclipse-platform/eclipse.platform/pull/761", "tags": ["x_transferred"]}, {"url": "https://github.com/eclipse-platform/eclipse.platform.releng.buildtools/pull/45", "tags": ["x_transferred"]}, {"url": "https://github.com/eclipse-platform/eclipse.platform.ui/commit/f243cf0a28785b89b7c50bf4e1cce48a917d89bd", "tags": ["x_transferred"]}, {"url": "https://github.com/eclipse-jdt/eclipse.jdt.ui/commit/13675b1f8a74f47de4da89ed0ded6af7c21dfbec", "tags": ["x_transferred"]}, {"url": "https://github.com/eclipse-jdt/eclipse.jdt.core/commit/38dd2a878f45cdb3d8d52090f1d6d1b532fd4c4d", "tags": ["x_transferred"]}, {"url": "https://github.com/eclipse-emf/org.eclipse.emf/issues/10", "tags": ["x_transferred"]}, {"url": "https://github.com/eclipse-platform/eclipse.platform.swt/commit/bf71db5ddcb967c0863dad4745367b54f49e06ba", "tags": ["x_transferred"]}, {"url": "https://github.com/eclipse-cdt/cdt/commit/c7169b3186d2fef20f97467c3e2ad78e2943ed1b", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-03T19:23:43.910350Z", "id": "CVE-2023-4218", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-03T19:26:14.225Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/8", "tags": ["x_transferred"]}, {"url": "https://github.com/eclipse-pde/eclipse.pde/pull/632/", "tags": ["x_transferred"]}, {"url": "https://github.com/eclipse-pde/eclipse.pde/pull/667/", "tags": ["x_transferred"]}, {"url": "https://github.com/eclipse-platform/eclipse.platform/pull/761", "tags": ["x_transferred"]}, {"url": "https://github.com/eclipse-platform/eclipse.platform.releng.buildtools/pull/45", "tags": ["x_transferred"]}, {"url": "https://github.com/eclipse-platform/eclipse.platform.ui/commit/f243cf0a28785b89b7c50bf4e1cce48a917d89bd", "tags": ["x_transferred"]}, {"url": "https://github.com/eclipse-jdt/eclipse.jdt.ui/commit/13675b1f8a74f47de4da89ed0ded6af7c21dfbec", "tags": ["x_transferred"]}, {"url": "https://github.com/eclipse-jdt/eclipse.jdt.core/commit/38dd2a878f45cdb3d8d52090f1d6d1b532fd4c4d", "tags": ["x_transferred"]}, {"url": "https://github.com/eclipse-emf/org.eclipse.emf/issues/10", "tags": ["x_transferred"]}, {"url": "https://github.com/eclipse-platform/eclipse.platform.swt/commit/bf71db5ddcb967c0863dad4745367b54f49e06ba", "tags": ["x_transferred"]}, {"url": "https://github.com/eclipse-cdt/cdt/commit/c7169b3186d2fef20f97467c3e2ad78e2943ed1b", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:17:12.212Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-4218", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-03T19:23:43.910350Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-03T19:25:04.548Z"}}], "cna": {"title": "XXE in eclipse.platform / Eclipse IDE", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "J\u00f6rg Kubitz"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Eclipse Foundation", "product": "Eclipse IDE", "versions": [{"status": "affected", "version": "0", "lessThan": "4.29", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Eclipse Foundation", "product": "Eclipse IDE", "versions": [{"status": "affected", "version": "0", "lessThan": "2023-09", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Eclipse Foundation", "product": "org.eclipse.core.runtime", "versions": [{"status": "affected", "version": "0", "lessThan": "3.29.0", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Eclipse Foundation", "product": "org.eclipse.pde", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.13.2400"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/8"}, {"url": "https://github.com/eclipse-pde/eclipse.pde/pull/632/"}, {"url": "https://github.com/eclipse-pde/eclipse.pde/pull/667/"}, {"url": "https://github.com/eclipse-platform/eclipse.platform/pull/761"}, {"url": "https://github.com/eclipse-platform/eclipse.platform.releng.buildtools/pull/45"}, {"url": "https://github.com/eclipse-platform/eclipse.platform.ui/commit/f243cf0a28785b89b7c50bf4e1cce48a917d89bd"}, {"url": "https://github.com/eclipse-jdt/eclipse.jdt.ui/commit/13675b1f8a74f47de4da89ed0ded6af7c21dfbec"}, {"url": "https://github.com/eclipse-jdt/eclipse.jdt.core/commit/38dd2a878f45cdb3d8d52090f1d6d1b532fd4c4d"}, {"url": "https://github.com/eclipse-emf/org.eclipse.emf/issues/10"}, {"url": "https://github.com/eclipse-platform/eclipse.platform.swt/commit/bf71db5ddcb967c0863dad4745367b54f49e06ba"}, {"url": "https://github.com/eclipse-cdt/cdt/commit/c7169b3186d2fef20f97467c3e2ad78e2943ed1b"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "In Eclipse IDE versions < 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch).\n", "supportingMedia": [{"type": "text/html", "value": "In Eclipse IDE versions < 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch).<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-611", "description": "CWE-611 Improper Restriction of XML External Entity Reference"}]}], "providerMetadata": {"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse", "dateUpdated": "2023-11-09T08:26:51.567Z"}}}, "cveMetadata": {"cveId": "CVE-2023-4218", "state": "PUBLISHED", "dateUpdated": "2024-09-03T19:26:14.225Z", "dateReserved": "2023-08-08T06:06:20.616Z", "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "datePublished": "2023-11-09T08:26:51.567Z", "assignerShortName": "eclipse"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:eclipse:eclipse_ide:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B8336F1-FA6C-46B0-B4D2-F5B01D3F64DD", "versionEndExcluding": "4.29", "vulnerable": true}, {"criteria": "cpe:2.3:a:eclipse:org.eclipse.core.runtime:*:*:*:*:*:*:*:*", "matchCriteriaId": "25A5577C-DC07-414F-AF2E-E45B65408680", "versionEndExcluding": "3.29.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:eclipse:pde:*:*:*:*:*:*:*:*", "matchCriteriaId": "81620F59-7825-4EAC-AF33-103FD0F203F9", "versionEndExcluding": "3.13.2400", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Eclipse IDE versions < 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch).\n"}, {"lang": "es", "value": "En las versiones de Eclipse IDE <2023-09 (4.29), algunos archivos con contenido xml se analizan como vulnerables a todo tipo de ataques XXE. El usuario s\u00f3lo necesita abrir cualquier proyecto maligno o actualizar un proyecto abierto con un archivo vulnerable (por ejemplo, para revisar un repositorio o parche externo)."}], "id": "CVE-2023-4218", "lastModified": "2023-11-24T18:25:48.900", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 3.6, "source": "emo@eclipse.org", "type": "Secondary"}]}, "published": "2023-11-09T09:15:08.320", "references": [{"source": "emo@eclipse.org", "tags": ["Patch"], "url": "https://github.com/eclipse-cdt/cdt/commit/c7169b3186d2fef20f97467c3e2ad78e2943ed1b"}, {"source": "emo@eclipse.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/eclipse-emf/org.eclipse.emf/issues/10"}, {"source": "emo@eclipse.org", "tags": ["Patch"], "url": "https://github.com/eclipse-jdt/eclipse.jdt.core/commit/38dd2a878f45cdb3d8d52090f1d6d1b532fd4c4d"}, {"source": "emo@eclipse.org", "tags": ["Patch"], "url": "https://github.com/eclipse-jdt/eclipse.jdt.ui/commit/13675b1f8a74f47de4da89ed0ded6af7c21dfbec"}, {"source": "emo@eclipse.org", "tags": ["Patch"], "url": "https://github.com/eclipse-pde/eclipse.pde/pull/632/"}, {"source": "emo@eclipse.org", "tags": ["Patch"], "url": "https://github.com/eclipse-pde/eclipse.pde/pull/667/"}, {"source": "emo@eclipse.org", "tags": ["Patch"], "url": "https://github.com/eclipse-platform/eclipse.platform.releng.buildtools/pull/45"}, {"source": "emo@eclipse.org", "tags": ["Patch"], "url": "https://github.com/eclipse-platform/eclipse.platform.swt/commit/bf71db5ddcb967c0863dad4745367b54f49e06ba"}, {"source": "emo@eclipse.org", "tags": ["Patch"], "url": "https://github.com/eclipse-platform/eclipse.platform.ui/commit/f243cf0a28785b89b7c50bf4e1cce48a917d89bd"}, {"source": "emo@eclipse.org", "tags": ["Patch"], "url": "https://github.com/eclipse-platform/eclipse.platform/pull/761"}, {"source": "emo@eclipse.org", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/8"}], "sourceIdentifier": "emo@eclipse.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-611"}], "source": "emo@eclipse.org", "type": "Secondary"}]}