CVE-2023-6194

Summary

In Eclipse Memory Analyzer versions 0.7 to 1.14.0, report definition XML files are not filtered to prohibit document type definition (DTD) references to external entities. This means that if a user chooses to use a malicious report definition XML file containing an external entity reference to generate a report then Eclipse Memory Analyzer may access external files or URLs defined via a DTD in the report definition.

Affected Software

VendorProductVersion RangeStatus
Eclipse FoundationEclipse Memory Analyzer (tools.mat)0.7 <= 1.14.0affected

Weaknesses

  • CWE-611: CWE-611 Improper Restriction of XML External Entity Reference

Workarounds

A workaround for Eclipse Memory Analyzer 1.14.0 and earlier is to run MAT with the following system properties set in MemoryAnalyzer.ini

-Djavax.xml.accessExternalSchema= -Djavax.xml.accessExternalDTD=

ADP Enrichment

CVE Program Container

Additional References

References