What is the vulnerability ID for this Eclipse BIRT vulnerability?

The vulnerability ID for this Eclipse BIRT vulnerability is CVE-2023-0100.

What is the severity of CVE-2023-0100?

The severity of CVE-2023-0100 is high with a severity value of 8.8.

What is the description of CVE-2023-0100?

CVE-2023-0100 is a vulnerability in Eclipse BIRT that allows an attacker to retrieve a report from the same host using an absolute HTTP path for the report parameter.

Which version of Eclipse BIRT is affected by CVE-2023-0100?

Eclipse BIRT versions 2.6.2 to 4.13.0 are affected by CVE-2023-0100.

Is there a fix for CVE-2023-0100?

Yes, a fix for CVE-2023-0100 is available. It is recommended to upgrade to a version of Eclipse BIRT beyond 4.13.0.

Vulnerability/
CVE-2023-0100

high

8.8

CWE

15/3/2023

22/3/2023

CVE-2023-0100: Input Validation

First published: Wed Mar 15 2023(Updated: )

In Eclipse BIRT, starting from version 2.6.2, the default configuration allowed to retrieve a report from the same host using an absolute HTTP path for the report parameter (e.g. __report=http://xyz.com/report.rptdesign). If the host indicated in the __report parameter matched the HTTP Host header value, the report would be retrieved. However, the Host header can be tampered with on some configurations where no virtual hosts are put in place (e.g. in the default configuration of Apache Tomcat) or when the default host points to the BIRT server. This vulnerability was patched on Eclipse BIRT 4.13.

Credit: emo@eclipse.org

Affected Software	Affected Version	How to fix
Eclipse Business Intelligence And Reporting Tools	>=2.6.2<4.13.0

Never miss a vulnerability like this again

Reference Links

https://bugs.eclipse.org/bugs/show_bug.cgi?id=580391

Frequently Asked Questions

What is the vulnerability ID for this Eclipse BIRT vulnerability?
The vulnerability ID for this Eclipse BIRT vulnerability is CVE-2023-0100.
What is the severity of CVE-2023-0100?
The severity of CVE-2023-0100 is high with a severity value of 8.8.
What is the description of CVE-2023-0100?
CVE-2023-0100 is a vulnerability in Eclipse BIRT that allows an attacker to retrieve a report from the same host using an absolute HTTP path for the report parameter.
Which version of Eclipse BIRT is affected by CVE-2023-0100?
Eclipse BIRT versions 2.6.2 to 4.13.0 are affected by CVE-2023-0100.
Is there a fix for CVE-2023-0100?
Yes, a fix for CVE-2023-0100 is available. It is recommended to upgrade to a version of Eclipse BIRT beyond 4.13.0.

collector/nvd-index
agent/weakness
agent/severity
agent/references
agent/author
agent/description
agent/tags
agent/type
agent/event
agent/softwarecombine
agent/first-publish-date
agent/last-modified-date
vendor/eclipse
canonical/eclipse business intelligence and reporting tools
version/eclipse business intelligence and reporting tools/2.6.2

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.