Search
Find a vulnerability
Search criteria
2 vulnerabilities found for Eclipse Memory Analyzer (tools.mat) by Eclipse Foundation
CVE-2023-6194 (GCVE-0-2023-6194)
Vulnerability from nvd – Published: 2023-12-11 14:04 – Updated: 2024-08-02 08:21
VLAI
EPSS
VEX
Summary
In Eclipse Memory Analyzer versions 0.7 to 1.14.0, report definition XML files are not filtered to prohibit
document type definition (DTD) references to external entities.
This means that if a user chooses to use a malicious report definition XML file containing an external entity reference
to generate a report then Eclipse Memory Analyzer may access external files or URLs defined via a DTD in the report definition.
Severity
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Eclipse Foundation | Eclipse Memory Analyzer (tools.mat) |
Affected:
0.7 , ≤ 1.14.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:21:17.798Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/15"
},
{
"tags": [
"x_transferred"
],
"url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=582631"
},
{
"tags": [
"x_transferred"
],
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/169"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Eclipse Memory Analyzer (tools.mat)",
"vendor": "Eclipse Foundation",
"versions": [
{
"lessThanOrEqual": "1.14.0",
"status": "affected",
"version": "0.7",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Eclipse Memory Analyzer versions 0.7 to 1.14.0, report definition XML files are not filtered to prohibit\ndocument type definition (DTD) references to external entities.\nThis means that if a user chooses to use a malicious report definition XML file containing an external entity reference\nto generate a report then Eclipse Memory Analyzer may access external files or URLs defined via a DTD in the report definition.\u003cbr\u003e"
}
],
"value": "In Eclipse Memory Analyzer versions 0.7 to 1.14.0, report definition XML files are not filtered to prohibit\ndocument type definition (DTD) references to external entities.\nThis means that if a user chooses to use a malicious report definition XML file containing an external entity reference\nto generate a report then Eclipse Memory Analyzer may access external files or URLs defined via a DTD in the report definition.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.8,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-11T14:04:51.680Z",
"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"shortName": "eclipse"
},
"references": [
{
"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/15"
},
{
"url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=582631"
},
{
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/169"
}
],
"source": {
"discovery": "UNKNOWN"
},
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA workaround for Eclipse Memory Analyzer 1.14.0 and earlier is to run MAT with the following system properties set in MemoryAnalyzer.ini\u003c/p\u003e\n\u003cdiv\u003e\n\u003cpre\u003e\u003ccode\u003e-Djavax.xml.accessExternalSchema=\n-Djavax.xml.accessExternalDTD=\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cbr\u003e"
}
],
"value": "A workaround for Eclipse Memory Analyzer 1.14.0 and earlier is to run MAT with the following system properties set in MemoryAnalyzer.ini\n\n\n\n-Djavax.xml.accessExternalSchema=\n-Djavax.xml.accessExternalDTD=\n\n\n\n\n"
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"assignerShortName": "eclipse",
"cveId": "CVE-2023-6194",
"datePublished": "2023-12-11T14:04:51.680Z",
"dateReserved": "2023-11-17T16:32:44.668Z",
"dateUpdated": "2024-08-02T08:21:17.798Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6194 (GCVE-0-2023-6194)
Vulnerability from cvelistv5 – Published: 2023-12-11 14:04 – Updated: 2024-08-02 08:21
VLAI
EPSS
VEX
Summary
In Eclipse Memory Analyzer versions 0.7 to 1.14.0, report definition XML files are not filtered to prohibit
document type definition (DTD) references to external entities.
This means that if a user chooses to use a malicious report definition XML file containing an external entity reference
to generate a report then Eclipse Memory Analyzer may access external files or URLs defined via a DTD in the report definition.
Severity
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Eclipse Foundation | Eclipse Memory Analyzer (tools.mat) |
Affected:
0.7 , ≤ 1.14.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:21:17.798Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/15"
},
{
"tags": [
"x_transferred"
],
"url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=582631"
},
{
"tags": [
"x_transferred"
],
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/169"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Eclipse Memory Analyzer (tools.mat)",
"vendor": "Eclipse Foundation",
"versions": [
{
"lessThanOrEqual": "1.14.0",
"status": "affected",
"version": "0.7",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Eclipse Memory Analyzer versions 0.7 to 1.14.0, report definition XML files are not filtered to prohibit\ndocument type definition (DTD) references to external entities.\nThis means that if a user chooses to use a malicious report definition XML file containing an external entity reference\nto generate a report then Eclipse Memory Analyzer may access external files or URLs defined via a DTD in the report definition.\u003cbr\u003e"
}
],
"value": "In Eclipse Memory Analyzer versions 0.7 to 1.14.0, report definition XML files are not filtered to prohibit\ndocument type definition (DTD) references to external entities.\nThis means that if a user chooses to use a malicious report definition XML file containing an external entity reference\nto generate a report then Eclipse Memory Analyzer may access external files or URLs defined via a DTD in the report definition.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.8,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-11T14:04:51.680Z",
"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"shortName": "eclipse"
},
"references": [
{
"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/15"
},
{
"url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=582631"
},
{
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/169"
}
],
"source": {
"discovery": "UNKNOWN"
},
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA workaround for Eclipse Memory Analyzer 1.14.0 and earlier is to run MAT with the following system properties set in MemoryAnalyzer.ini\u003c/p\u003e\n\u003cdiv\u003e\n\u003cpre\u003e\u003ccode\u003e-Djavax.xml.accessExternalSchema=\n-Djavax.xml.accessExternalDTD=\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003cbr\u003e"
}
],
"value": "A workaround for Eclipse Memory Analyzer 1.14.0 and earlier is to run MAT with the following system properties set in MemoryAnalyzer.ini\n\n\n\n-Djavax.xml.accessExternalSchema=\n-Djavax.xml.accessExternalDTD=\n\n\n\n\n"
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"assignerShortName": "eclipse",
"cveId": "CVE-2023-6194",
"datePublished": "2023-12-11T14:04:51.680Z",
"dateReserved": "2023-11-17T16:32:44.668Z",
"dateUpdated": "2024-08-02T08:21:17.798Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}