CVE-2019-17637

NameCVE-2019-17637
DescriptionIn all versions of Eclipse Web Tools Platform through release 3.18 (2020-06), XML and DTD files referring to external entities could be exploited to send the contents of local files to a remote server when edited or validated, even when external entity resolution is disabled in the user preferences.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
eclipse-wtp (PTS)stretch3.6.3-3vulnerable
bullseye, sid3.18-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
eclipse-wtpsource(unstable)(unfixed)

Notes

https://bugs.eclipse.org/bugs/show_bug.cgi?id=458571
Search for package or bug name: Reporting problems