CVE-2021-34436
moderate-risk
Published 2021-09-02
In Eclipse Theia 0.1.1 to 0.2.0, it is possible to exploit the default build to obtain remote code execution (and XXE) via the theia-xml-extension. This extension uses lsp4xml (recently renamed to LemMinX) in order to provide language support for XML. This is installed by default.
Do I need to act?
~
3.5% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (1)
Theia
Affected Vendors
References (2)
Vendor Advisory
https://bugs.eclipse.org/bugs/show_bug.cgi?id=563174
Vendor Advisory
https://bugs.eclipse.org/bugs/show_bug.cgi?id=563174
44
/ 100
moderate-risk
Severity
32/34 · Critical
Exploitability
7/34 · Low
Exposure
5/34 · Minimal