CVE-2023-4218
MEDIUMEclipse IDE < 4.29 - XML External Entity Injection via Project File Parsing
Title source: llmDescription
In Eclipse IDE versions < 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch).
References (11)
Core 11
Core References
Issue Tracking, Third Party Advisory
https://github.com/eclipse-emf/org.eclipse.emf/issues/10
Patch
https://github.com/eclipse-jdt/eclipse.jdt.core/commit/38dd2a878f45cdb3d8d52090f1d6d1b532fd4c4d
Exploit, Issue Tracking, Vendor Advisory
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/8
Scores
CVSS v3
5.0
EPSS
0.0039
EPSS Percentile
30.3%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-611
Status
published
Products (11)
eclipse/eclipse_ide
< 4.29
eclipse/org.eclipse.core.runtime
< 3.29.0
eclipse/pde
< 3.13.2400
org.eclipse.jdt/org.eclipse.jdt.ui
0 - 3.30.0Maven
org.eclipse.platform/org.eclipse.core.runtime
0 - 3.29.0Maven
org.eclipse.platform/org.eclipse.jface
0 - 3.31.0Maven
org.eclipse.platform/org.eclipse.platform
0 - 4.29.0Maven
org.eclipse.platform/org.eclipse.ui.forms
0 - 3.13.0Maven
org.eclipse.platform/org.eclipse.ui.ide
0 - 3.21.100Maven
org.eclipse.platform/org.eclipse.ui.workbench
0 - 3.130.0Maven
... and 1 more
Published
Nov 09, 2023
Tracked Since
Feb 18, 2026