In Eclipse IDE versions < 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch).
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| org.eclipse.platform:org.eclipse.core.runtime(Maven) | 0 | 3.29.0 | N/A |
| org.eclipse.platform:org.eclipse.platform(Maven) | 0 | 4.29.0 | N/A |
| org.eclipse.platform:org.eclipse.jface(Maven) | 0 | 3.31.0 | N/A |
| org.eclipse.platform:org.eclipse.ui.forms(Maven) | 0 | 3.13.0 | N/A |
| org.eclipse.platform:org.eclipse.ui.ide(Maven) | 0 | 3.21.100 | N/A |
| org.eclipse.platform:org.eclipse.ui.workbench(Maven) | 0 | 3.130.0 | N/A |
| org.eclipse.platform:org.eclipse.urischeme(Maven) | 0 | 1.3.100 | N/A |
| org.eclipse.jdt:org.eclipse.jdt.ui(Maven) | 0 | 3.30.0 | N/A |
CVSS Metrics
