Eclipse Ide
CVE-2023-4218
MEDIUM
Severity by source
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 18 maven packages depend on org.eclipse.jdt:org.eclipse.jdt.ui (16 direct, 2 indirect)
- 260 maven packages depend on org.eclipse.platform:org.eclipse.core.runtime (158 direct, 102 indirect)
- 117 maven packages depend on org.eclipse.platform:org.eclipse.jface (33 direct, 84 indirect)
- 1 maven packages depend on org.eclipse.platform:org.eclipse.platform (1 direct, 0 indirect)
- 49 maven packages depend on org.eclipse.platform:org.eclipse.ui.forms (21 direct, 28 indirect)
Ecosystem-wide dependent count for version 3.30.0 and other introduced versions.
DescriptionNVD
In Eclipse IDE versions < 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch).
AnalysisAI
In Eclipse IDE versions < 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. Rated medium severity (CVSS 5.0), this vulnerability is low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified as XML External Entity (XXE) (CWE-611), which allows attackers to read arbitrary files or perform SSRF through XML processing. In Eclipse IDE versions < 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch). Affected products include: Eclipse Eclipse Ide, Eclipse Org.Eclipse.Core.Runtime, Eclipse Pde.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Disable external entity processing in XML parsers, use JSON instead of XML where possible.
Share
External POC / Exploit Code
Leaving vuln.today