Lucene search

[email protected]CVE-2023-6194

HistoryDec 11, 2023 - 2:15 p.m.

CVE-2023-6194

2023-12-1114:15:31

CWE-611

[email protected]

web.nvd.nist.gov

eclipse memory analyzer

cve-2023-6194

xml

security vulnerability

dtd

external entity reference

7.1 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

7.3 High

AI Score

Confidence

Low

3.2 Low

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:L/AC:L/Au:S/C:P/I:N/A:P

0.0005 Low

EPSS

Percentile

16.2%

JSON

In Eclipse Memory Analyzer versions 0.7 to 1.14.0, report definition XML files are not filtered to prohibit
document type definition (DTD) references to external entities.
This means that if a user chooses to use a malicious report definition XML file containing an external entity reference
to generate a report then Eclipse Memory Analyzer may access external files or URLs defined via a DTD in the report definition.

CPENameOperatorVersion
eclipse:memory_analyzereclipse memory analyzerle1.14.0
eclipse:memory_analyzereclipse memory analyzereq1.0.0
eclipse:memory_analyzereclipse memory analyzereq1.5.0
eclipse:memory_analyzereclipse memory analyzereq1.8.0
eclipse:memory_analyzereclipse memory analyzereq0.7
eclipse:memory_analyzereclipse memory analyzereq1.1.0
eclipse:memory_analyzereclipse memory analyzereq0.8
eclipse:memory_analyzereclipse memory analyzereq1.2.0
eclipse:memory_analyzereclipse memory analyzereq1.9.0
eclipse:memory_analyzereclipse memory analyzereq1.9.1

CPE	Name	Operator	Version
eclipse:memory_analyzer	eclipse memory analyzer	le	1.14.0
eclipse:memory_analyzer	eclipse memory analyzer	eq	1.0.0
eclipse:memory_analyzer	eclipse memory analyzer	eq	1.5.0
eclipse:memory_analyzer	eclipse memory analyzer	eq	1.8.0
eclipse:memory_analyzer	eclipse memory analyzer	eq	0.7
eclipse:memory_analyzer	eclipse memory analyzer	eq	1.1.0
eclipse:memory_analyzer	eclipse memory analyzer	eq	0.8
eclipse:memory_analyzer	eclipse memory analyzer	eq	1.2.0
eclipse:memory_analyzer	eclipse memory analyzer	eq	1.9.0
eclipse:memory_analyzer	eclipse memory analyzer	eq	1.9.1

Rows per page:

1-10 of 261

References

bugs.eclipse.org/bugs/show_bug.cgi?id=582631

gitlab.eclipse.org/security/cve-assignement/-/issues/15

gitlab.eclipse.org/security/vulnerability-reports/-/issues/169

7.1 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

7.3 High

AI Score

Confidence

Low

3.2 Low

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:L/AC:L/Au:S/C:P/I:N/A:P

0.0005 Low

EPSS

Percentile

16.2%

JSON

Related for CVE-2023-6194

prion1 cvelist1 ubuntucve1