{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2023-6194","assignerOrgId":"e51fbebd-6053-4e49-959f-1b94eeb69a2c","state":"PUBLISHED","assignerShortName":"eclipse","dateReserved":"2023-11-17T16:32:44.668Z","datePublished":"2023-12-11T14:04:51.680Z","dateUpdated":"2024-08-02T08:21:17.798Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Eclipse Memory Analyzer (tools.mat)","vendor":"Eclipse Foundation","versions":[{"lessThanOrEqual":"1.14.0","status":"affected","version":"0.7","versionType":"custom"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"In Eclipse Memory Analyzer versions 0.7 to 1.14.0, report definition XML files are not filtered to prohibit\ndocument type definition (DTD) references to external entities.\nThis means that if a user chooses to use a malicious report definition XML file containing an external entity reference\nto generate a report then Eclipse Memory Analyzer may access external files or URLs defined via a DTD in the report definition.<br>"}],"value":"In Eclipse Memory Analyzer versions 0.7 to 1.14.0, report definition XML files are not filtered to prohibit\ndocument type definition (DTD) references to external entities.\nThis means that if a user chooses to use a malicious report definition XML file containing an external entity reference\nto generate a report then Eclipse Memory Analyzer may access external files or URLs defined via a DTD in the report definition.\n"}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":2.8,"baseSeverity":"LOW","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-611","description":"CWE-611 Improper Restriction of XML External Entity Reference","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"e51fbebd-6053-4e49-959f-1b94eeb69a2c","shortName":"eclipse","dateUpdated":"2023-12-11T14:04:51.680Z"},"references":[{"url":"https://gitlab.eclipse.org/security/cve-assignement/-/issues/15"},{"url":"https://bugs.eclipse.org/bugs/show_bug.cgi?id=582631"},{"url":"https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/169"}],"source":{"discovery":"UNKNOWN"},"workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>A workaround for Eclipse Memory Analyzer 1.14.0 and earlier is to run MAT with the following system properties set in MemoryAnalyzer.ini</p>\n<div>\n<pre><code>-Djavax.xml.accessExternalSchema=\n-Djavax.xml.accessExternalDTD=</code></pre></div><br>"}],"value":"A workaround for Eclipse Memory Analyzer 1.14.0 and earlier is to run MAT with the following system properties set in MemoryAnalyzer.ini\n\n\n\n-Djavax.xml.accessExternalSchema=\n-Djavax.xml.accessExternalDTD=\n\n\n\n\n"}],"x_generator":{"engine":"Vulnogram 0.1.0-dev"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T08:21:17.798Z"},"title":"CVE Program Container","references":[{"url":"https://gitlab.eclipse.org/security/cve-assignement/-/issues/15","tags":["x_transferred"]},{"url":"https://bugs.eclipse.org/bugs/show_bug.cgi?id=582631","tags":["x_transferred"]},{"url":"https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/169","tags":["x_transferred"]}]}]}}