-
Notifications
You must be signed in to change notification settings - Fork 272
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2023-4218 (Medium) detected in org.eclipse.core.runtime-3.26.100.jar #3688
Comments
[Triage] Someone should check on whether this is a concern and address if required. |
Transitive dependency from spotless (for formatting). Can resolve by forcing newest version of the dependency. |
Note the version fix requires JDK 17+ (for running Spotless, so configure your CI appropriately)
|
Thanks for looking into this @dbwiddis let me see about duplicating the changes you made to ai flow :) |
CVE-2023-4218 - Medium Severity Vulnerability
Vulnerable Library - org.eclipse.core.runtime-3.26.100.jar
Core Runtime
Library home page: https://projects.eclipse.org/projects/eclipse.platform
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.platform/org.eclipse.core.runtime/3.26.100/83c77ee0cfc948ea33f5054dda3f5c39250a7ed5/org.eclipse.core.runtime-3.26.100.jar
Dependency Hierarchy:
Found in HEAD commit: af149372b8b59259811625dcccadb402c5c32bd5
Found in base branch: main
Vulnerability Details
In Eclipse IDE versions < 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch).
Publish Date: 2023-11-09
URL: CVE-2023-4218
CVSS 3 Score Details (5.0)
Base Score Metrics:
The text was updated successfully, but these errors were encountered: