Vulnerabilities > CVE-2023-6194 - XXE vulnerability in Eclipse Memory Analyzer
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
NONE Availability impact
HIGH Summary
In Eclipse Memory Analyzer versions 0.7 to 1.14.0, report definition XML files are not filtered to prohibit document type definition (DTD) references to external entities. This means that if a user chooses to use a malicious report definition XML file containing an external entity reference to generate a report then Eclipse Memory Analyzer may access external files or URLs defined via a DTD in the report definition.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=582631
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=582631
- https://gitlab.eclipse.org/security/cve-assignement/-/issues/15
- https://gitlab.eclipse.org/security/cve-assignement/-/issues/15
- https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/169
- https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/169