Login Sign Up

CVE-2019-17637

7.1 HIGH
XXE

📋 TL;DR

This vulnerability in Eclipse Web Tools Platform allows XML External Entity (XXE) attacks even when external entity resolution is disabled in user preferences. When users edit or validate XML/DTD files containing malicious external entity references, local file contents can be exfiltrated to remote servers. All Eclipse Web Tools Platform users through version 3.18 are affected.

💻 Affected Systems

Products:
  • Eclipse Web Tools Platform
Versions: All versions through 3.18 (2020-06)
Operating Systems: All platforms running Eclipse
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerable even when external entity resolution is disabled in user preferences. Affects XML and DTD file editing/validation functionality.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Web Tools Platform by Eclipse

View all CVEs affecting Web Tools Platform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive local files (including configuration files, credentials, or proprietary data) are exfiltrated to attacker-controlled servers, leading to data breach and potential lateral movement.

🟠

Likely Case

Attackers trick users into opening malicious XML files, resulting in leakage of local file contents that could contain sensitive information.

🟢

If Mitigated

With proper network segmentation and user awareness, impact is limited to isolated development environments with minimal sensitive data.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction (opening/validating malicious XML file). XXE attacks are well-documented with established techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 3.19 or later

Vendor Advisory: https://bugs.eclipse.org/bugs/show_bug.cgi?id=458571

Restart Required: Yes

Instructions:

1. Update Eclipse IDE to latest version. 2. Ensure Web Tools Platform is updated to 3.19+. 3. Restart Eclipse after update.

🔧 Temporary Workarounds

Disable XML validation

all

Temporarily disable XML validation in Eclipse preferences to prevent exploitation via validation

Use external XML editor

all

Edit XML/DTD files using external editors until patch is applied

🧯 If You Can't Patch

  • Implement strict network egress filtering to block outbound connections from development workstations
  • Educate users to never open untrusted XML/DTD files and implement file type restrictions

🔍 How to Verify

Check if Vulnerable:

Check Eclipse Help > About Eclipse > Installation Details > Installed Software for Web Tools Platform version

Check Version:

Not applicable - check via Eclipse GUI

Verify Fix Applied:

Verify Web Tools Platform version is 3.19 or higher in installed software list

📡 Detection & Monitoring

Log Indicators:

  • Unusual outbound HTTP requests from Eclipse process
  • Large file reads by Eclipse process

Network Indicators:

  • HTTP requests to unusual domains from development workstations
  • Outbound traffic containing file contents

SIEM Query:

process:eclipse.exe AND (destination_ip:external AND http_request) OR (file_read:*.xml AND network_egress)

📊 Metadata

CVE ID: CVE-2019-17637
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CWE: CWE-611
Published: July 15, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-17637, you might also want to check these:

CVE-2019-14678 10.0

SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that allows attackers to read loc...

Same vulnerability type (CWE-611)
CVE-2022-22486 10.0

This CVE describes an XML External Entity (XXE) vulnerability in IBM Tivoli Workload Scheduler that ...

Same vulnerability type (CWE-611)
CVE-2018-18406 9.9

This is a blind XML External Entity (XXE) vulnerability in Tufin SecureTrack's Audit Report module t...

Same vulnerability type (CWE-611)