CVE-2023-0100
Description
In Eclipse BIRT, starting from version 2.6.2, the default configuration allowed to retrieve a report from the same host using an absolute HTTP path for the report parameter (e.g. __report=http://xyz.com/report.rptdesign). If the host indicated in the __report parameter matched the HTTP Host header value, the report would be retrieved. However, the Host header can be tampered with on some configurations where no virtual hosts are put in place (e.g. in the default configuration of Apache Tomcat) or when the default host points to the BIRT server. This vulnerability was patched on Eclipse BIRT 4.13.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.eclipse.birt:org.eclipse.birt.report.viewerMaven | >= 2.6.2, < 4.13 | 4.13 |
Affected products
2- The Eclipse Foundation/Eclipse BIRT (Business Intelligence Reporting Tool)v5Range: 2.6.2
Patches
Vulnerability mechanics
Root cause
"The `isValidFilePath()` method trusted the HTTP Host header to validate the domain of a URL-based report path, allowing an attacker to bypass the check by tampering with the Host header."
Attack vector
An attacker can supply a `__report` parameter with an absolute HTTP URL (e.g. `__report=http://attacker.com/report.rptdesign`). In the default configuration before the patch, the `isValidFilePath()` method compared the URL's host against `request.getServerName()` (the HTTP Host header). If no virtual host restrictions are in place (common in default Apache Tomcat setups), the attacker can tamper with the Host header to match their own domain, bypassing the domain check and causing the BIRT server to fetch and execute a report from an arbitrary external host [patch_id=1641166].
Affected code
The vulnerability resides in `ParameterAccessor.java` [patch_id=1641166], specifically in the `isValidFilePath()` method and the `initParameters()` initialization. The default `urlReportPathPolicy` was changed from `POLICY_DOMAIN` to `POLICY_NONE`, and a new `fUrlReportPathDomains` list (defaulting to `localhost` and `127.0.0.1`) was introduced. The XML configuration files (`web.xml`, `web_deploy.xml`, `web-template.xml`, `web-viewer.xml`, `web-war.xml`) were also updated to reflect the new default policy and domain allowlist [patch_id=1641166].
What the fix does
The patch changes the default `URL_REPORT_PATH_POLICY` from `domain` to `none` across all XML configuration files, disabling URL-based report paths by default [patch_id=1641166]. It introduces a new `URL_REPORT_PATH_DOMAINS` context parameter that defaults to `localhost,127.0.0.1`. In `ParameterAccessor.java`, the `isValidFilePath()` method no longer compares against `request.getServerName()` (the Host header); instead, when `POLICY_DOMAIN` is active, it checks the URL's host against the explicit `fUrlReportPathDomains` list. This closes the Host-header-tampering vector because the allowed domains are now a fixed server-side configuration rather than being derived from the incoming request.
Preconditions
- configThe BIRT server must be configured with URL_REPORT_PATH_POLICY set to 'domain' (the default before the patch) or 'all'.
- configThe server must not enforce virtual host restrictions (e.g., default Apache Tomcat configuration) so the Host header can be tampered with.
- networkThe attacker must be able to send an HTTP request to the BIRT viewer with a crafted __report parameter and a manipulated Host header.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-4grc-q4fj-45p8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-0100ghsaADVISORY
- bugs.eclipse.org/bugs/show_bug.cgighsaWEB
- github.com/eclipse/birt/pull/1165ghsaWEB
News mentions
0No linked articles in our index yet.