-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
org.eclipse.core.runtime-3.29.0.jar: 1 vulnerabilities (highest severity is: 5.0) - autoclosed #177
Comments
3.29.0 is the newest version of this jar available. Per https://www.cve.org/CVERecord?id=CVE-2023-4218 the impacted versions are "before 3.29.0" so I'm not sure why it's alerting on version 3.29.0.
The CVE record linked above is very clear about what the "before" syntax means:
This would mean the "affected version doesn't include 3.29.0" so I do not understand why Mend is alerting on it. Per the CVE this vulnerability requires user interaction (Eclipse IDE) with a rogue XML file. Only use on this repo is as a transitive dependency in spotless which uses the eclipse formatter. We are referencing our own local XML file. Users should update to the newest Eclipse version (I have done so). I don't see any other action we can take as a repo for this. By specifying the version in our forced override, this will permit Mend to auto-update the version when a new version is available. |
We can wait for Spotless to new version to address this CVE. |
We are overriding the Spotless version. We would need a new Eclipse core runtime version. My point is per the CVE this JAR isn't affected. |
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory. |
And it looks like my complaint to mend.io found its way into the system and they marked it properly :) |
Vulnerable Library - org.eclipse.core.runtime-3.29.0.jar
Core Runtime
Library home page: https://projects.eclipse.org/projects/eclipse.platform
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.platform/org.eclipse.core.runtime/3.29.0/efd86c19f870535fe8d561f7c2fdd5767158e117/org.eclipse.core.runtime-3.29.0.jar
Found in HEAD commit: 2dcfc9c82095771e560e2de2495e1c8a95ad4fe2
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-4218
Vulnerable Library - org.eclipse.core.runtime-3.29.0.jar
Core Runtime
Library home page: https://projects.eclipse.org/projects/eclipse.platform
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.platform/org.eclipse.core.runtime/3.29.0/efd86c19f870535fe8d561f7c2fdd5767158e117/org.eclipse.core.runtime-3.29.0.jar
Dependency Hierarchy:
Found in HEAD commit: 2dcfc9c82095771e560e2de2495e1c8a95ad4fe2
Found in base branch: main
Vulnerability Details
In Eclipse IDE versions < 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch).
Publish Date: 2023-11-09
URL: CVE-2023-4218
CVSS 3 Score Details (5.0)
Base Score Metrics:
The text was updated successfully, but these errors were encountered: