Impact

xml files like ".project" are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch).

Vulnerablility was found by static code analysis (SonarLint).

Example .project file:

<?xml version="1.0" encoding="utf-8"?> 
<!DOCTYPE price [
<!ENTITY xxe SYSTEM "http://127.0.0.1:49416/evil">]>
<projectDescription>
	<name>p</name>
	<comment>&xxe;</comment>
</projectDescription>

Patches

Similar patches including junit test that shows the vulnerability have already applied to PDE (see eclipse-pde/eclipse.pde#667). A solution to platform should be the same: just reject parsing any XML that contains any DOCTYPE.

Workarounds

No known workaround. User can only avoid to get/open any foreign files with eclipse. Firewall rules against loss of data (but not against XML bomb).

References

https://cwe.mitre.org/data/definitions/611.html
https://rules.sonarsource.com/java/RSPEC-2755
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/8 (Report for multiple projects affected)

References

• GHSA-j24h-xcpc-9jw8
• https://nvd.nist.gov/vuln/detail/CVE-2023-4218
• eclipse-emf/org.eclipse.emf#10
• eclipse-platform/eclipse.platform.releng.buildtools#45
• eclipse-platform/eclipse.platform#761
• eclipse-cdt/cdt@c7169b3
• eclipse-jdt/eclipse.jdt.core@38dd2a8
• eclipse-jdt/eclipse.jdt.ui@13675b1
• eclipse-platform/eclipse.platform.swt@bf71db5
• eclipse-platform/eclipse.platform.ui@f243cf0
• eclipse-platform/eclipse.platform@5dc372a
• https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/8
• eclipse-pde/eclipse.pde#632
• eclipse-pde/eclipse.pde#667