CVE-2021-34436

2021-09-0220:55:10

CWE-22

CWE-611

eclipse

www.cve.org

9.9 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

76.0%

JSON

In Eclipse Theia 0.1.1 to 0.2.0, it is possible to exploit the default build to obtain remote code execution (and XXE) via the theia-xml-extension. This extension uses lsp4xml (recently renamed to LemMinX) in order to provide language support for XML. This is installed by default.

CNA Affected

[
  {
    "product": "Eclipse Theia",
    "vendor": "The Eclipse Foundation",
    "versions": [
      {
        "status": "affected",
        "version": "0.1.1"
      },
      {
        "status": "affected",
        "version": "0.1.2"
      },
      {
        "status": "affected",
        "version": "0.2.0-next.28bc2735"
      },
      {
        "status": "affected",
        "version": "0.2.0-next.41406d98"
      },
      {
        "status": "affected",
        "version": "0.2.0-next.a2958907"
      }
    ]
  }
]

References

bugs.eclipse.org/bugs/show_bug.cgi?id=563174