CVE-2019-17637

NameCVE-2019-17637
DescriptionIn all versions of Eclipse Web Tools Platform through release 3.18 (2020-06), XML and DTD files referring to external entities could be exploited to send the contents of local files to a remote server when edited or validated, even when external entity resolution is disabled in the user preferences.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2404-1
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
eclipse-wtp (PTS)stretch3.6.3-3vulnerable
stretch (security)3.6.3-3+deb9u1fixed
bookworm, sid, bullseye3.18-5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
eclipse-wtpsourcestretch3.6.3-3+deb9u1DLA-2404-1
eclipse-wtpsource(unstable)3.18-1

Notes

https://bugs.eclipse.org/bugs/show_bug.cgi?id=458571
http://git.eclipse.org/c/sourceediting/webtools.sourceediting.git/commit/?id=9644d4217cd6e3be367d654a8320104d88ddfd6b
Issue fixed along when packaging 3.18 upstream version as in the Debian
source (re)packaging the DTDParser.java and DTDValidator.java were removed.
Search for package or bug name: Reporting problems