Filtered by vendor Eclipse
Subscribe
Total
150 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2018-20227 | 1 Eclipse | 1 Rdf4j | 2024-02-04 | 6.4 MEDIUM | 7.5 HIGH |
RDF4J 2.4.2 allows Directory Traversal via ../ in an entry in a ZIP archive. | |||||
CVE-2018-12542 | 2 Eclipse, Microsoft | 2 Vert.x, Windows | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the StaticHandler uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\' (forward slashes) sequences that can resolve to a location that is outside of that directory when running on Windows Operating Systems. | |||||
CVE-2018-12537 | 1 Eclipse | 1 Vert.x | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response. | |||||
CVE-2018-12543 | 1 Eclipse | 1 Mosquitto | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
In Eclipse Mosquitto versions 1.5 to 1.5.2 inclusive, if a message is published to Mosquitto that has a topic starting with $, but that is not $SYS, e.g. $test/test, then an assert is triggered that should otherwise not be reachable and Mosquitto will exit. | |||||
CVE-2018-20145 | 1 Eclipse | 1 Mosquitto | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
Eclipse Mosquitto 1.5.x before 1.5.5 allows ACL bypass: if the option per_listener_settings was set to true, and the default listener was in use, and the default listener specified an acl_file, then the acl file was being ignored. | |||||
CVE-2018-12544 | 1 Eclipse | 1 Vert.x | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Eclipse Vert.x OpenAPI XML type validator to validate a provided schema. | |||||
CVE-2018-14371 | 1 Eclipse | 1 Mojarra | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
The getLocalePrefix function in ResourceManager.java in Eclipse Mojarra before 2.3.7 is affected by Directory Traversal via the loc parameter. A remote attacker can download configuration files or Java bytecodes from applications. | |||||
CVE-2018-12547 | 2 Eclipse, Redhat | 5 Openj9, Enterprise Linux Desktop, Enterprise Linux Server and 2 more | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
In Eclipse OpenJ9, prior to the 0.12.0 release, the jio_snprintf() and jio_vsnprintf() native methods ignored the length parameter. This affects existing APIs that called the functions to exceed the allocated buffer. This functions were not directly callable by non-native user code. | |||||
CVE-2018-12548 | 1 Eclipse | 1 Openj9 | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
In OpenJDK + Eclipse OpenJ9 version 0.11.0 builds, the public jdk.crypto.jniprovider.NativeCrypto class contains public static natives which accept pointer values that are dereferenced in the native code. | |||||
CVE-2018-12539 | 2 Eclipse, Oracle | 2 Openj9, Enterprise Manager Base Platform | 2024-02-04 | 4.6 MEDIUM | 7.8 HIGH |
In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code. Attach API is enabled by default on Windows, Linux and AIX JVMs and can be disabled using the command line option -Dcom.ibm.tools.attach.enable=no. | |||||
CVE-2018-12538 | 2 Eclipse, Netapp | 12 Jetty, E-series Santricity Management Plug-ins, E-series Santricity Os Controller and 9 more | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore. | |||||
CVE-2018-12536 | 2 Eclipse, Oracle | 2 Jetty, Retail Xstore Point Of Service | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system. | |||||
CVE-2017-7651 | 2 Debian, Eclipse | 2 Debian Linux, Mosquitto | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
In Eclipse Mosquitto 1.4.14, a user can shutdown the Mosquitto server simply by filling the RAM memory with a lot of connections with large payload. This can be done without authentications if occur in connection phase of MQTT protocol. | |||||
CVE-2017-8315 | 1 Eclipse | 1 Ide | 2024-02-04 | 7.8 HIGH | 7.5 HIGH |
Eclipse XML parser for the Eclipse IDE versions 2017.2.5 and earlier was found vulnerable to an XML External Entity attack. An attacker can exploit the vulnerability by implementing malicious code on Androidmanifest.xml. | |||||
CVE-2017-7652 | 2 Debian, Eclipse | 2 Debian Linux, Mosquitto | 2024-02-04 | 6.0 MEDIUM | 7.5 HIGH |
In Eclipse Mosquitto 1.4.14, if a Mosquitto instance is set running with a configuration file, then sending a HUP signal to server triggers the configuration to be reloaded from disk. If there are lots of clients connected so that there are no more file descriptors/sockets available (default limit typically 1024 file descriptors on Linux), then opening the configuration file will fail. | |||||
CVE-2017-7654 | 2 Debian, Eclipse | 2 Debian Linux, Mosquitto | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
In Eclipse Mosquitto 1.4.15 and earlier, a Memory Leak vulnerability was found within the Mosquitto Broker. Unauthenticated clients can send crafted CONNECT packets which could cause a denial of service in the Mosquitto Broker. | |||||
CVE-2017-7653 | 2 Debian, Eclipse | 2 Debian Linux, Mosquitto | 2024-02-04 | 3.5 LOW | 5.3 MEDIUM |
The Eclipse Mosquitto broker up to version 1.4.15 does not reject strings that are not valid UTF-8. A malicious client could cause other clients that do reject invalid UTF-8 strings to disconnect themselves from the broker by sending a topic string which is not valid UTF-8, and so cause a denial of service for the clients. | |||||
CVE-2017-7657 | 5 Debian, Eclipse, Hp and 2 more | 18 Debian Linux, Jetty, Xp P9000 and 15 more | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request. | |||||
CVE-2017-7658 | 5 Debian, Eclipse, Hp and 2 more | 20 Debian Linux, Jetty, Xp P9000 and 17 more | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization. | |||||
CVE-2017-7656 | 2 Debian, Eclipse | 2 Debian Linux, Jetty | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response. |