CVE-2023-6194 Vulnerability Details

  /     /     /  

CVE-2023-6194 Metadata Quick Info

CVE Published: 11/12/2023 | CVE Updated: 02/08/2024 | CVE Year: 2023
Source: eclipse | Vendor: Eclipse Foundation | Product: Eclipse Memory Analyzer (tools.mat)
Status : PUBLISHED

---

CVE-2023-6194 Description

In Eclipse Memory Analyzer versions 0.7 to 1.14.0, report definition XML files are not filtered to prohibit document type definition (DTD) references to external entities. This means that if a user chooses to use a malicious report definition XML file containing an external entity reference to generate a report then Eclipse Memory Analyzer may access external files or URLs defined via a DTD in the report definition.

Metrics

CVSS Version: 3.1 | Base Score: 2.8 LOW
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

l➤ Exploitability Metrics:
    Attack Vector (AV)* LOCAL
    Attack Complexity (AC)* LOW
    Privileges Required (PR)* LOW
    User Interaction (UI)* REQUIRED
    Scope (S)* UNCHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* NONE
    Integrity Impact (I)* LOW
    Availability Impact (A)* NONE

Weakness Enumeration (CWE)

CWE-ID: CWE-611
CWE Name: CWE-611 Improper Restriction of XML External Entity Reference
Source: Eclipse Foundation

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).