[Bug 1857369] New: CVE-2019-17637 eclipse-webtools: XML external entity vulnerability in DTD Parser/Validator
https://bugzilla.redhat.com/show_bug.cgi?id=1857369
Bug ID: 1857369 Summary: CVE-2019-17637 eclipse-webtools: XML external entity vulnerability in DTD Parser/Validator Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: psampaio@redhat.com CC: eclipse-sig@lists.fedoraproject.org, gerard@ryan.lt, mat.booth@redhat.com Target Milestone: --- Classification: Other
In all versions of Eclipse Web Tools Platform through release 3.18 (2020-06), XML and DTD files referring to external entities could be exploited to send the contents of local files to a remote server when edited or validated, even when external entity resolution is disabled in the user preferences.
Upstream bug:
https://bugs.eclipse.org/bugs/show_bug.cgi?id=458571
https://bugzilla.redhat.com/show_bug.cgi?id=1857369
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1857370
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1857370 [Bug 1857370] CVE-2019-17637 eclipse-webtools: XML external entity vulnerability in DTD Parser/Validator [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1857369
--- Comment #1 from Pedro Sampaio psampaio@redhat.com --- Created eclipse-webtools tracking bugs for this issue:
Affects: fedora-all [bug 1857370]
https://bugzilla.redhat.com/show_bug.cgi?id=1857369
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1857371
https://bugzilla.redhat.com/show_bug.cgi?id=1857369
Stefan Cornelius scorneli@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |eclipse web tools platform | |3.19
https://bugzilla.redhat.com/show_bug.cgi?id=1857369
--- Comment #3 from Stefan Cornelius scorneli@redhat.com --- Patch: https://git.eclipse.org/c/sourceediting/webtools.sourceediting.git/commit/?i...
https://bugzilla.redhat.com/show_bug.cgi?id=1857369 Bug 1857369 depends on bug 1857370, which changed state.
Bug 1857370 Summary: CVE-2019-17637 eclipse-webtools: XML external entity vulnerability in DTD Parser/Validator [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1857370
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |EOL
eclipse-sig@lists.stg.fedoraproject.org
-
bugzilla@redhat.com