CVE-2023-4218

Description

### Impact xml files like ".project" are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch). Vulnerablility was found by static code analysis (SonarLint). Example `.project` file: ``` <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE price [ <!ENTITY xxe SYSTEM "http://127.0.0.1:49416/evil">]> <projectDescription> <name>p</name> <comment>&xxe;</comment> </projectDescription> ``` ### Patches Similar patches including junit test that shows the vulnerability have already applied to PDE (see https://github.com/eclipse-pde/eclipse.pde/pull/667). A solution to platform should be the same: just reject parsing any XML that contains any `DOCTYPE`. ### Workarounds No known workaround. User can only avoid to get/open any foreign files with eclipse. Firewall rules against loss of data (but not against XML bomb). ### References https://cwe.mitre.org/data/definitions/611.html https://rules.sonarsource.com/java/RSPEC-2755 https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/8 (Report for multiple projects affected)

How to fix CVE-2023-4218

To remediate CVE-2023-4218, upgrade the affected package to a fixed version below.

—upgrade to 3.30.0 or later
—upgrade to 3.29.0 or later
—upgrade to 3.31.0 or later
—upgrade to 4.29.0 or later
—upgrade to 3.13.0 or later
—upgrade to 3.21.100 or later
—

Description

How to fix CVE-2023-4218

Is CVE-2023-4218 being exploited?

Affected packages (8)

CVSS scores

References (15)