CVE-2021-34436

Summary

In Eclipse Theia 0.1.1 to 0.2.0, it is possible to exploit the default build to obtain remote code execution (and XXE) via the theia-xml-extension. This extension uses lsp4xml (recently renamed to LemMinX) in order to provide language support for XML. This is installed by default.

Affected Software

VendorProductVersion RangeStatus
The Eclipse FoundationEclipse Theia0.1.1affected
The Eclipse FoundationEclipse Theia0.1.2affected
The Eclipse FoundationEclipse Theia0.2.0-next.28bc2735affected
The Eclipse FoundationEclipse Theia0.2.0-next.41406d98affected
The Eclipse FoundationEclipse Theia0.2.0-next.a2958907affected

Weaknesses

  • CWE-611: CWE-611
  • CWE-22: CWE-22

ADP Enrichment

CVE Program Container

Additional References

References