Lucene search

EclipseCVE-2019-17637

HistoryJul 15, 2020 - 3:15 p.m.

CVE-2019-17637

2020-07-1515:15:11

CWE-611

eclipse

web.nvd.nist.gov

cve-2019-17637

eclipse

web tools platform

xml

dtd

security vulnerability

remote file access

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS3

7.1

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

AI Score

6.6

Confidence

High

EPSS

0.001

Percentile

40.6%

JSON

In all versions of Eclipse Web Tools Platform through release 3.18 (2020-06), XML and DTD files referring to external entities could be exploited to send the contents of local files to a remote server when edited or validated, even when external entity resolution is disabled in the user preferences.

Affected configurations

Nvd

Node

eclipseweb_tools_platformRange1.0–3.18

Node

debiandebian_linuxMatch9.0

VendorProductVersionCPE
eclipseweb_tools_platform*cpe:2.3:a:eclipse:web_tools_platform:*:*:*:*:*:*:*:*
debiandebian_linux9.0cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
eclipse	web_tools_platform	*	cpe:2.3:a:eclipse:web_tools_platform::::::::
debian	debian_linux	9.0	cpe:2.3:o:debian:debian_linux:9.0:::::::*

CNA Affected

[
  {
    "product": "Eclipse Web Tools Platform",
    "vendor": "The Eclipse Foundation",
    "versions": [
      {
        "status": "affected",
        "version": "1.0 to 3.18"
      }
    ]
  }
]