Replies: 2 comments
-
|
It looks like a mistaken diagnosis to me. These are some of the fixes to which the CVE refers:
BIRT 4.20.0 is using the 4.36 release of the Platform so you can see it's using a very recent version of the core.runtime:
Also this was changed in EMF:
The release contains a version with that change:
Probably some tool is not smart enough to realize that not all the bundles will have a version > 4.29 because the bundle versions are not coordinated with the overall release version of the Eclipse Platform. And of course the CVE doesn't actually list any details about any specific artifact nor their specific version, so its kind of a bit worse than unless in my opinion. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks, i'll share it with our security group |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi,
We update our project to use V4.20.0, and our scan found the following CVE.
Are you aware for that? are you plan to fix it?
Aqua Description : In Eclipse IDE versions < 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch).
Vendor Statement : null
Vendor URL : null
NVD URL : https://nvd.nist.gov/vuln/detail/CVE-2023-4218
Fix Version : 4.29
Beta Was this translation helpful? Give feedback.
All reactions