External Entity Injection Vulnerability in Eclipse Memory Analyzer
CVE-2023-6194

2.8LOW

Key Information:

Vendor: Eclipse Foundation
Status: Eclipse Memory Analyzer (tools.mat)
Vendor: CVE Published:; 11 December 2023

What is CVE-2023-6194?

In Eclipse Memory Analyzer versions ranging from 0.7 to 1.14.0, a vulnerability exists that permits report definition XML files to include document type definition (DTD) references, leading to potential external entity injections. This issue can be exploited if a user mistakenly utilizes a maliciously crafted XML file containing DTD references, allowing the application to inadvertently access external files or URLs defined in that DTD, thereby posing a significant risk to the integrity and confidentiality of sensitive data.

Affected Version(s)

Eclipse Memory Analyzer (tools.mat) 0.7 <= 1.14.0

References

https://gitlab.eclipse.org/security/cve-assignement/-/iss...

https://bugs.eclipse.org/bugs/show_bug.cgi?id=582631

https://gitlab.eclipse.org/security/vulnerability-reports...

CVSS V3.1

Score:

2.8

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Dec 11, 2023
Vulnerability Reserved
Nov 17, 2023

Eclipse Foundation

What is CVE-2023-6194?

Affected Version(s)

References

CVSS V3.1

Timeline