CVE-2023-4218

Name of the Vulnerable Software and Affected Versions Eclipse IDE versions prior to 2023-09 (4.29)

Description The issue concerns the parsing of XML content in certain files, making them vulnerable to XXE attacks. This can occur when a user opens a malicious project or updates an open project with a vulnerable file, such as reviewing a foreign repository or patch. The vulnerability was discovered through static code analysis using SonarLint. XML files, like ".project" files, are affected. For example, a malicious .project file could contain a DOCTYPE declaration that references an external entity, allowing for XXE attacks.

Recommendations For Eclipse IDE versions prior to 2023-09 (4.29), consider rejecting the parsing of any XML that contains a DOCTYPE declaration as a potential solution, similar to patches applied to PDE. Until a patch is available, users can avoid opening or accessing foreign files with Eclipse to minimize the risk of exploitation. Additionally, implementing firewall rules can help prevent data loss, although this does not directly protect against XML bombs. At the moment, there is no known workaround other than avoiding foreign files.