CVE-2021-34435

2021-09-0117:20:09

CWE-942

eclipse

www.cve.org

eclipse theia

mini-browser

rce

AI Score

8.8

Confidence

High

EPSS

0.003

Percentile

68.0%

JSON

In Eclipse Theia 0.3.9 to 1.8.1, the “mini-browser” extension allows a user to preview HTML files in an iframe inside the IDE. But with the way it is made it is possible for a previewed HTML file to trigger an RCE. This exploit only happens if a user previews a malicious file…

CNA Affected

[
  {
    "product": "Eclipse Theia",
    "vendor": "The Eclipse Foundation",
    "versions": [
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "0.3.9",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "1.8.1",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

bugs.eclipse.org/bugs/show_bug.cgi?id=568018