PT-2021-20529 · Eclipse · Eclipse Theia

Paul Maréchal

Published

2021-09-01

Updated

2022-10-27

CVE-2021-34435

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: Eclipse Theia versions 0.3.9 through 1.8.1

Description: The issue allows a previewed HTML file to trigger a remote code execution (RCE) in the Eclipse Theia IDE, specifically through the "mini-browser" extension. This exploit occurs when a user previews a malicious HTML file within the IDE's iframe.

Recommendations: For Eclipse Theia versions 0.3.9 through 1.8.1, consider disabling the "mini-browser" extension as a temporary workaround to prevent the exploitation of this issue until a patch is available. Restrict access to previewing HTML files within the IDE to minimize the risk of RCE.

Exploit

Fix

Exposure of Resource to Wrong Sphere

Origin Validation Error

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-942CWE-668CWE-346

Related Identifiers

CVE-2021-34435

GHSA-V9W2-V7J9-RJPR

Affected Products

Eclipse Theia

PT-2021-20529 · Eclipse · Eclipse Theia

CVE-2021-34435

Weakness Enumeration

Related Identifiers

Affected Products

References · 8