CVE-2023-4218 | XXE in eclipse.platform / Eclipse IDE

Exp

In Eclipse IDE versions < 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch).

Published: 2023-11-09 Last update: 2026-06-17 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2023-4218 is rated Exploit Available (50/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.39%). 1 public exploit reference(s) are indexed (Exploit-DB). Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2023-4218

EDB-ID Source Kind Published Link
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2023-4218

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 0.03% 0.39% +0.36%
2 2025-11-21 0.06% 0.03% -0.04%
3 2025-11-18 0.06%

Full EPSS history (10 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2023-4218

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
5.0 3.1 MEDIUM
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:N)
Service keeps running; no real outage angle.
 1.3 3.6 [email protected]
5.0 3.1 MEDIUM
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:N)
Service keeps running; no real outage angle.
 1.3 3.6 [email protected]

Weakness enumeration for CVE-2023-4218

GitHub Security Advisory for CVE-2023-4218

GHSA-j24h-xcpc-9jw8 · Severity: medium · Ecosystem: maven — Eclipse IDE XXE in eclipse.platform

OS Trackers for CVE-2023-4218

vendor priority summary link
suse medium CVE-2023-4218 severity moderate: SUSE including 46 source package names (eclipse-contributor-tools-4.15-13.1, eclipse-contributor-tools-4.15-150200.4.16.4, …), 204 product×package rows across 22 product lines (SUSE Enterprise Storage 7.1, SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS, … (22 product lines)): Fixed 204. https://www.suse.com/security/cve/CVE-2023-4218/
ubuntu medium CVE-2023-4218 medium priority: Ubuntu including 1 source packages (eclipse), 12 status rows across 12 suites (bionic, focal, jammy, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 8, needs-triage 3, ignored 1. https://ubuntu.com/security/CVE-2023-4218

Affected software / configurations for CVE-2023-4218

Vendor Product Version Raw CPE
eclipse eclipse_ide < 4.29 cpe:2.3:a:eclipse:eclipse_ide:*:*:*:*:*:*:*:*
eclipse org.eclipse.core.runtime < 3.29.0 cpe:2.3:a:eclipse:org.eclipse.core.runtime:*:*:*:*:*:*:*:*
eclipse pde < 3.13.2400 cpe:2.3:a:eclipse:pde:*:*:*:*:*:*:*:*

References for CVE-2023-4218

URL Tags
https://github.com/eclipse-cdt/cdt/commit/c7169b3186d2fef20f97467c3e2ad78e2943ed1b Patch
https://github.com/eclipse-emf/org.eclipse.emf/issues/10 Issue Tracking Third Party Advisory
https://github.com/eclipse-jdt/eclipse.jdt.core/commit/38dd2a878f45cdb3d8d52090f1d6d1b532fd4c4d Patch
https://github.com/eclipse-jdt/eclipse.jdt.ui/commit/13675b1f8a74f47de4da89ed0ded6af7c21dfbec Patch
https://github.com/eclipse-pde/eclipse.pde/pull/632/ Patch
https://github.com/eclipse-pde/eclipse.pde/pull/667/ Patch
https://github.com/eclipse-platform/eclipse.platform.releng.buildtools/pull/45 Patch
https://github.com/eclipse-platform/eclipse.platform.swt/commit/bf71db5ddcb967c0863dad4745367b54f49e06ba Patch
https://github.com/eclipse-platform/eclipse.platform.ui/commit/f243cf0a28785b89b7c50bf4e1cce48a917d89bd Patch
https://github.com/eclipse-platform/eclipse.platform/pull/761 Patch
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/8 Exploit Issue Tracking Vendor Advisory
cvelogic Threat Intelligence