Remote Code Execution and XXE Vulnerability in Eclipse Theia 0.1.1 to 0.2.0 via theia-xml-extension

Remote Code Execution and XXE Vulnerability in Eclipse Theia 0.1.1 to 0.2.0 via theia-xml-extension

CVE-2021-34436 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

In Eclipse Theia 0.1.1 to 0.2.0, it is possible to exploit the default build to obtain remote code execution (and XXE) via the theia-xml-extension. This extension uses lsp4xml (recently renamed to LemMinX) in order to provide language support for XML. This is installed by default.

Learn more about our Web Application Penetration Testing UK.