CVE-2023-6194

Public Exploit

Description

In Eclipse Memory Analyzer versions 0.7 to 1.14.0, report definition XML files are not filtered to prohibit document type definition (DTD) references to external entities. This means that if a user chooses to use a malicious report definition XML file containing an external entity reference to generate a report then Eclipse Memory Analyzer may access external files or URLs defined via a DTD in the report definition.

Remediation

Workaround:

A workaround for Eclipse Memory Analyzer 1.14.0 and earlier is to run MAT with the following system properties set in MemoryAnalyzer.ini -Djavax.xml.accessExternalSchema= -Djavax.xml.accessExternalDTD=

References

Link	Tags
https://gitlab.eclipse.org/security/cve-assignement/-/issues/15	vendor advisory issue tracking exploit
https://bugs.eclipse.org/bugs/show_bug.cgi?id=582631	patch exploit vendor advisory issue tracking
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/169	vendor advisory issue tracking exploit

Frequently Asked Questions

What is the severity of CVE-2023-6194?: CVE-2023-6194 has been scored as a low severity vulnerability.
How to fix CVE-2023-6194?: As a workaround for remediating CVE-2023-6194: A workaround for Eclipse Memory Analyzer 1.14.0 and earlier is to run MAT with the following system properties set in MemoryAnalyzer.ini -Djavax.xml.accessExternalSchema= -Djavax.xml.accessExternalDTD=
Is CVE-2023-6194 being actively exploited in the wild?: It is possible that CVE-2023-6194 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-6194?: CVE-2023-6194 affects Eclipse Foundation Eclipse Memory Analyzer (tools.mat).

Description

Remediation

Category

CWE-611 – Improper Restriction of XML External Entity Reference

References

Frequently Asked Questions