Filtered by vendor Eclipse
Subscribe
Total
150 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-41037 | 1 Eclipse | 1 Equinox P2 | 2024-02-04 | 6.8 MEDIUM | 8.0 HIGH |
| In Eclipse p2, installable units are able to alter the Eclipse Platform installation and the local machine via touchpoints during installation. Those touchpoints can, for example, alter the command-line used to start the application, injecting things like agent or other settings that usually require particular attention in term of security. Although p2 has built-in strategies to ensure artifacts are signed and then to help establish trust, there is no such strategy for the metadata part that does configure such touchpoints. As a result, it's possible to install a unit that will run malicious code during installation without user receiving any warning about this installation step being risky when coming from untrusted source. | |||||
| CVE-2015-8031 | 1 Eclipse | 1 Hudson | 2024-02-04 | N/A | 9.8 CRITICAL |
| Hudson (aka org.jvnet.hudson.main:hudson-core) before 3.3.2 allows XXE attacks. | |||||
| CVE-2022-2576 | 1 Eclipse | 1 Californium | 2024-02-04 | N/A | 7.5 HIGH |
| In Eclipse Californium version 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS resumption handshake falls back to a DTLS full handshake on a parameter mismatch without using a HelloVerifyRequest. Especially, if used with certificate based cipher suites, that results in message amplification (DDoS other peers) and high CPU load (DoS own peer). The misbehavior occurs only with DTLS_VERIFY_PEERS_ON_RESUMPTION_THRESHOLD values larger than 0. | |||||
| CVE-2022-2047 | 3 Debian, Eclipse, Netapp | 7 Debian Linux, Jetty, Element Plug-in For Vcenter Server and 4 more | 2024-02-04 | 4.0 MEDIUM | 2.7 LOW |
| In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario. | |||||
| CVE-2022-25897 | 1 Eclipse | 1 Milo | 2024-02-04 | N/A | 7.5 HIGH |
| The package org.eclipse.milo:sdk-server before 0.6.8 are vulnerable to Denial of Service (DoS) when bypassing the limitations for excessive memory consumption by sending multiple CloseSession requests with the deleteSubscription parameter equal to False. | |||||
| CVE-2022-2048 | 4 Debian, Eclipse, Jenkins and 1 more | 8 Debian Linux, Jetty, Jenkins and 5 more | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests. | |||||
| CVE-2021-41041 | 2 Eclipse, Oracle | 2 Openj9, Java Se | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Eclipse Openj9 before version 0.32.0, Java 8 & 11 fail to throw the exception captured during bytecode verification when verification is triggered by a MethodHandle invocation, allowing unverified methods to be invoked using MethodHandles. | |||||
| CVE-2022-0673 | 1 Eclipse | 1 Lemminx | 2024-02-04 | 6.4 MEDIUM | 6.5 MEDIUM |
| A flaw was found in LemMinX in versions prior to 0.19.0. Cache poisoning of external schema files due to directory traversal. | |||||
| CVE-2022-0672 | 1 Eclipse | 1 Lemminx | 2024-02-04 | 2.1 LOW | 5.5 MEDIUM |
| A flaw was found in LemMinX in versions prior to 0.19.0. Insecure redirect could allow unauthorized access to sensitive information locally if LemMinX is run under a privileged user. | |||||
| CVE-2021-38441 | 1 Eclipse | 1 Cyclonedds | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| Eclipse CycloneDDS versions prior to 0.8.0 are vulnerable to a write-what-where condition, which may allow an attacker to write arbitrary values in the XML parser. | |||||
| CVE-2021-38443 | 1 Eclipse | 1 Cyclonedds | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| Eclipse CycloneDDS versions prior to 0.8.0 improperly handle invalid structures, which may allow an attacker to write arbitrary values in the XML parser. | |||||
| CVE-2021-41038 | 1 Eclipse | 1 Theia | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| In versions of the @theia/plugin-ext component of Eclipse Theia prior to 1.18.0, Webview contents can be hijacked via postMessage(). | |||||
| CVE-2021-41033 | 1 Eclipse | 1 Equinox | 2024-02-04 | 6.8 MEDIUM | 8.1 HIGH |
| In all released versions of Eclipse Equinox, at least until version 4.21 (September 2021), installation can be vulnerable to man-in-the-middle attack if using p2 repos that are HTTP; that can then be exploited to serve incorrect p2 metadata and entirely alter the local installation, particularly by installing plug-ins that may then run malicious code. | |||||
| CVE-2021-41036 | 1 Eclipse | 1 Paho Mqtt C\/c\+\+ Client | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| In versions prior to 1.1 of the Eclipse Paho MQTT C Client, the client does not check rem_len size in readpacket. | |||||
| CVE-2021-41034 | 1 Eclipse | 1 Che | 2024-02-04 | 6.8 MEDIUM | 8.1 HIGH |
| The build of some language stacks of Eclipse Che version 6 includes pulling some binaries from an unsecured HTTP endpoint. As a consequence the builds of such stacks are vulnerable to MITM attacks that allow the replacement of the original binaries with arbitrary ones. The stacks involved are Java 8 (alpine and centos), Android and PHP. The vulnerability is not exploitable at runtime but only when building Che. | |||||
| CVE-2021-32834 | 1 Eclipse | 1 Keti | 2024-02-04 | 6.5 MEDIUM | 9.9 CRITICAL |
| Eclipse Keti is a service that was designed to protect RESTfuls API using Attribute Based Access Control (ABAC). In Keti a user able to create Policy Sets can run arbitrary code by sending malicious Groovy scripts which will escape the configured Groovy sandbox. This vulnerability is known to exist in the latest commit at the time of writing this CVE (commit a1c8dbe). For more details see the referenced GHSL-2021-063. | |||||
| CVE-2021-41039 | 1 Eclipse | 1 Mosquitto | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| In versions 1.6 to 2.0.11 of Eclipse Mosquitto, an MQTT v5 client connecting with a large number of user-property properties could cause excessive CPU usage, leading to a loss of performance and possible denial of service. | |||||
| CVE-2021-41040 | 1 Eclipse | 1 Wakaama | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| In Eclipse Wakaama, ever since its inception until 2021-01-14, the CoAP parsing code does not properly sanitize network-received data. | |||||
| CVE-2021-32835 | 1 Eclipse | 1 Keti | 2024-02-04 | 6.5 MEDIUM | 9.9 CRITICAL |
| Eclipse Keti is a service that was designed to protect RESTfuls API using Attribute Based Access Control (ABAC). In Keti a sandbox escape vulnerability may lead to post-authentication Remote Code execution. This vulnerability is known to exist in the latest commit at the time of writing this CVE (commit a1c8dbe). For more details see the referenced GHSL-2021-063. | |||||
| CVE-2021-34431 | 1 Eclipse | 1 Mosquitto | 2024-02-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Eclipse Mosquitto version 1.6 to 2.0.10, if an authenticated client that had connected with MQTT v5 sent a crafted CONNECT message to the broker a memory leak would occur, which could be used to provide a DoS attack against the broker. | |||||