CRITICAL🇬🇧 English

CVE-2021-34436

CVSS 9.8v3.1pub. 2021-09-02upd. 2024-11-21

In Eclipse Theia 0.1.1 to 0.2.0, it is possible to exploit the default build to obtain remote code execution (and XXE) via the theia-xml-extension. This extension uses lsp4xml (recently renamed to LemMinX) in order to provide language support for XML. This is installed by default.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Eclipse Theia

    APP
    Eclipse
    0.1.1 – 0.2.0
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
RCEXXEPath Traversal
CWE
Referencje

Powiązane podatności

CVE-2020-27224CRITICAL9.6ten sam produkt

In Eclipse Theia versions up to and including 1.2.0, the Markdown Preview (@theia/preview), can be exploited t...

CVE-2026-44688HIGH8.4ten sam produkt

In Eclipse Theia versions prior to 1.71.0, the AI chat agent processed workspace file and directory names as p...

CVE-2026-46580HIGH8.4ten sam produkt

In Eclipse Theia versions prior to 1.71.0, files matching the pattern .prompts/*.prompttemplate in a workspace...

CVE-2026-44691HIGH8.4ten sam produkt

In Eclipse Theia versions prior to 1.69.0, custom task definitions in workspace files (e.g. .theia/tasks.json,...

CVE-2021-34435HIGH8.8ten sam produkt

In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension allows a user to preview HTML files in an iframe...