CVE-2021-34436
N/A
N/A
Summary
In Eclipse Theia 0.1.1 to 0.2.0, it is possible to exploit the default build to obtain remote code execution (and XXE) via the theia-xml-extension. This extension uses lsp4xml (recently renamed to LemMinX) in order to provide language support for XML. This is installed by default.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| The Eclipse Foundation | Eclipse Theia | 0.1.1 | affected |
| The Eclipse Foundation | Eclipse Theia | 0.1.2 | affected |
| The Eclipse Foundation | Eclipse Theia | 0.2.0-next.28bc2735 | affected |
| The Eclipse Foundation | Eclipse Theia | 0.2.0-next.41406d98 | affected |
| The Eclipse Foundation | Eclipse Theia | 0.2.0-next.a2958907 | affected |
Weaknesses
- CWE-611: CWE-611
- CWE-22: CWE-22
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.