Moderate severityNVD Advisory· Published Nov 9, 2023· Updated Sep 3, 2024
XXE in eclipse.platform / Eclipse IDE
CVE-2023-4218
Description
In Eclipse IDE versions < 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.eclipse.platform:org.eclipse.core.runtimeMaven | < 3.29.0 | 3.29.0 |
org.eclipse.platform:org.eclipse.platformMaven | < 4.29.0 | 4.29.0 |
org.eclipse.platform:org.eclipse.jfaceMaven | < 3.31.0 | 3.31.0 |
org.eclipse.platform:org.eclipse.ui.formsMaven | < 3.13.0 | 3.13.0 |
org.eclipse.platform:org.eclipse.ui.ideMaven | < 3.21.100 | 3.21.100 |
org.eclipse.platform:org.eclipse.ui.workbenchMaven | < 3.130.0 | 3.130.0 |
org.eclipse.platform:org.eclipse.urischemeMaven | < 1.3.100 | 1.3.100 |
org.eclipse.jdt:org.eclipse.jdt.uiMaven | < 3.30.0 | 3.30.0 |
Affected products
48- ghsa-coords45 versionspkg:maven/org.eclipse.jdt/org.eclipse.jdt.uipkg:maven/org.eclipse.platform/org.eclipse.core.runtimepkg:maven/org.eclipse.platform/org.eclipse.jfacepkg:maven/org.eclipse.platform/org.eclipse.platformpkg:maven/org.eclipse.platform/org.eclipse.ui.formspkg:maven/org.eclipse.platform/org.eclipse.ui.idepkg:maven/org.eclipse.platform/org.eclipse.ui.workbenchpkg:maven/org.eclipse.platform/org.eclipse.urischemepkg:rpm/opensuse/eclipse-bootstrap&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/eclipse&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/eclipse-emf-bootstrap&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/eclipse-emf&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/maven-surefire&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/maven-surefire-plugins&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/maven-surefire-provider-junit5&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/tycho-bootstrap&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/tycho&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/eclipse-bootstrap&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5pkg:rpm/suse/eclipse&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5pkg:rpm/suse/eclipse-emf-bootstrap&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5pkg:rpm/suse/eclipse-emf&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5pkg:rpm/suse/maven-surefire&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/maven-surefire&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/maven-surefire&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/maven-surefire&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/maven-surefire&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/maven-surefire&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP5pkg:rpm/suse/maven-surefire&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/maven-surefire&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/maven-surefire&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/maven-surefire&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/maven-surefire&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/maven-surefire&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/maven-surefire-plugins&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/maven-surefire-plugins&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/maven-surefire-plugins&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/maven-surefire-plugins&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/maven-surefire-plugins&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/maven-surefire-plugins&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP5pkg:rpm/suse/maven-surefire-plugins&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/maven-surefire-plugins&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/maven-surefire-plugins&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/maven-surefire-plugins&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/maven-surefire-plugins&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/maven-surefire-plugins&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4
< 3.30.0+ 44 more
- (no CPE)range: < 3.30.0
- (no CPE)range: < 3.29.0
- (no CPE)range: < 3.31.0
- (no CPE)range: < 4.29.0
- (no CPE)range: < 3.13.0
- (no CPE)range: < 3.21.100
- (no CPE)range: < 3.130.0
- (no CPE)range: < 1.3.100
- (no CPE)range: < 4.15-150200.4.16.5
- (no CPE)range: < 4.15-150200.4.16.4
- (no CPE)range: < 2.22.0-150200.4.9.3
- (no CPE)range: < 2.22.0-150200.4.9.3
- (no CPE)range: < 2.22.2-150200.3.9.9.1
- (no CPE)range: < 2.22.2-150200.3.9.9.1
- (no CPE)range: < 2.22.2-150200.3.9.9.1
- (no CPE)range: < 1.6.0-150200.4.9.2
- (no CPE)range: < 1.6.0-150200.4.9.5
- (no CPE)range: < 4.15-150200.4.16.5
- (no CPE)range: < 4.15-150200.4.16.4
- (no CPE)range: < 2.22.0-150200.4.9.3
- (no CPE)range: < 2.22.0-150200.4.9.3
- (no CPE)range: < 2.22.2-150200.3.9.9.1
- (no CPE)range: < 2.22.2-150200.3.9.9.1
- (no CPE)range: < 2.22.2-150200.3.9.9.1
- (no CPE)range: < 2.22.2-150200.3.9.9.1
- (no CPE)range: < 2.22.2-150200.3.9.9.1
- (no CPE)range: < 2.22.2-150200.3.9.9.1
- (no CPE)range: < 2.22.2-150200.3.9.9.1
- (no CPE)range: < 2.22.2-150200.3.9.9.1
- (no CPE)range: < 2.22.2-150200.3.9.9.1
- (no CPE)range: < 2.22.2-150200.3.9.9.1
- (no CPE)range: < 2.22.2-150200.3.9.9.1
- (no CPE)range: < 2.22.2-150200.3.9.9.1
- (no CPE)range: < 2.22.2-150200.3.9.9.1
- (no CPE)range: < 2.22.2-150200.3.9.9.1
- (no CPE)range: < 2.22.2-150200.3.9.9.1
- (no CPE)range: < 2.22.2-150200.3.9.9.1
- (no CPE)range: < 2.22.2-150200.3.9.9.1
- (no CPE)range: < 2.22.2-150200.3.9.9.1
- (no CPE)range: < 2.22.2-150200.3.9.9.1
- (no CPE)range: < 2.22.2-150200.3.9.9.1
- (no CPE)range: < 2.22.2-150200.3.9.9.1
- (no CPE)range: < 2.22.2-150200.3.9.9.1
- (no CPE)range: < 2.22.2-150200.3.9.9.1
- (no CPE)range: < 2.22.2-150200.3.9.9.1
- Eclipse Foundation/Eclipse IDEv5Range: 0
- Eclipse Foundation/org.eclipse.core.runtimev5Range: 0
- Eclipse Foundation/org.eclipse.pdev5Range: 0
Patches
Vulnerability mechanics
References
17- github.com/advisories/GHSA-j24h-xcpc-9jw8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-4218ghsaADVISORY
- github.com/eclipse-cdt/cdt/commit/c7169b3186d2fef20f97467c3e2ad78e2943ed1bghsaWEB
- github.com/eclipse-emf/org.eclipse.emf/issues/10ghsaWEB
- github.com/eclipse-jdt/eclipse.jdt.core/commit/38dd2a878f45cdb3d8d52090f1d6d1b532fd4c4dghsaWEB
- github.com/eclipse-jdt/eclipse.jdt.ui/commit/13675b1f8a74f47de4da89ed0ded6af7c21dfbecghsaWEB
- github.com/eclipse-pde/eclipse.pde/pull/632ghsaWEB
- github.com/eclipse-pde/eclipse.pde/pull/667ghsaWEB
- github.com/eclipse-platform/eclipse.platform.releng.buildtools/pull/45ghsaWEB
- github.com/eclipse-platform/eclipse.platform.swt/commit/bf71db5ddcb967c0863dad4745367b54f49e06baghsaWEB
- github.com/eclipse-platform/eclipse.platform.ui/commit/f243cf0a28785b89b7c50bf4e1cce48a917d89bdghsaWEB
- github.com/eclipse-platform/eclipse.platform/commit/5dc372a0c5002b7f22e5d49eaa1cbf0916455dafghsaWEB
- github.com/eclipse-platform/eclipse.platform/pull/761ghsaWEB
- github.com/eclipse-platform/eclipse.platform/security/advisories/GHSA-j24h-xcpc-9jw8ghsaWEB
- gitlab.eclipse.org/security/vulnerability-reports/-/issues/8ghsaWEB
- github.com/eclipse-pde/eclipse.pde/pull/632/mitre
- github.com/eclipse-pde/eclipse.pde/pull/667/mitre
News mentions
0No linked articles in our index yet.