Vulnerabilities (CVE)

Filtered by vendor Eclipse Subscribe
Total 134 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-2576 1 Eclipse 1 Californium 2022-08-05 N/A 7.5 HIGH
In Eclipse Californium version 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS resumption handshake falls back to a DTLS full handshake on a parameter mismatch without using a HelloVerifyRequest. Especially, if used with certificate based cipher suites, that results in message amplification (DDoS other peers) and high CPU load (DoS own peer). The misbehavior occurs only with DTLS_VERIFY_PEERS_ON_RESUMPTION_THRESHOLD values larger than 0.
CVE-2022-2048 1 Eclipse 1 Jetty 2022-08-02 5.0 MEDIUM 7.5 HIGH
In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.
CVE-2022-2047 1 Eclipse 1 Jetty 2022-08-02 4.0 MEDIUM 2.7 LOW
In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
CVE-2021-28165 4 Eclipse, Jenkins, Netapp and 1 more 21 Jetty, Jenkins, Cloud Manager and 18 more 2022-07-29 7.8 HIGH 7.5 HIGH
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
CVE-2021-28168 2 Eclipse, Oracle 3 Jersey, Communications Cloud Native Core Policy, Communications Cloud Native Core Unified Data Repository 2022-07-29 2.1 LOW 5.5 MEDIUM
Eclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users.
CVE-2015-8031 1 Eclipse 1 Hudson 2022-07-27 N/A 9.8 CRITICAL
Hudson (aka org.jvnet.hudson.main:hudson-core) before 3.3.2 allows XXE attacks.
CVE-2021-34429 3 Eclipse, Netapp, Oracle 14 Jetty, E-series Santricity Os Controller, E-series Santricity Web Services and 11 more 2022-07-25 5.0 MEDIUM 5.3 MEDIUM
For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.
CVE-2021-41037 1 Eclipse 1 Equinox P2 2022-07-15 6.8 MEDIUM 8.0 HIGH
In Eclipse p2, installable units are able to alter the Eclipse Platform installation and the local machine via touchpoints during installation. Those touchpoints can, for example, alter the command-line used to start the application, injecting things like agent or other settings that usually require particular attention in term of security. Although p2 has built-in strategies to ensure artifacts are signed and then to help establish trust, there is no such strategy for the metadata part that does configure such touchpoints. As a result, it's possible to install a unit that will run malicious code during installation without user receiving any warning about this installation step being risky when coming from untrusted source.
CVE-2022-2191 1 Eclipse 1 Jetty 2022-07-15 5.0 MEDIUM 7.5 HIGH
In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths.
CVE-2021-41042 1 Eclipse 1 Lyo 2022-07-15 5.0 MEDIUM 5.3 MEDIUM
In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external DTD to be retrieved.
CVE-2021-28164 3 Eclipse, Netapp, Oracle 17 Jetty, Cloud Manager, E-series Performance Analyzer and 14 more 2022-07-14 5.0 MEDIUM 5.3 MEDIUM
In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
CVE-2021-38443 1 Eclipse 1 Cyclonedds 2022-05-13 7.5 HIGH 9.8 CRITICAL
Eclipse CycloneDDS versions prior to 0.8.0 improperly handle invalid structures, which may allow an attacker to write arbitrary values in the XML parser.
CVE-2021-38441 1 Eclipse 1 Cyclonedds 2022-05-13 7.5 HIGH 9.8 CRITICAL
Eclipse CycloneDDS versions prior to 0.8.0 are vulnerable to a write-what-where condition, which may allow an attacker to write arbitrary values in the XML parser.
CVE-2020-27218 4 Apache, Eclipse, Netapp and 1 more 16 Kafka, Spark, Jetty and 13 more 2022-05-12 5.8 MEDIUM 4.8 MEDIUM
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.
CVE-2021-28163 5 Apache, Eclipse, Fedoraproject and 2 more 23 Ignite, Solr, Jetty and 20 more 2022-05-12 4.0 MEDIUM 2.7 LOW
In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.
CVE-2021-28169 4 Debian, Eclipse, Netapp and 1 more 8 Debian Linux, Jetty, Active Iq Unified Manager and 5 more 2022-05-12 5.0 MEDIUM 5.3 MEDIUM
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
CVE-2021-34428 4 Debian, Eclipse, Netapp and 1 more 16 Debian Linux, Jetty, Active Iq Unified Manager and 13 more 2022-05-12 3.6 LOW 3.5 LOW
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
CVE-2020-6950 2 Eclipse, Oracle 9 Mojarra, Banking Enterprise Default Management, Banking Platform and 6 more 2022-05-12 4.3 MEDIUM 6.5 MEDIUM
Directory traversal in Eclipse Mojarra before 2.3.14 allows attackers to read arbitrary files via the loc parameter or con parameter.
CVE-2021-41041 2 Eclipse, Oracle 2 Openj9, Java Se 2022-05-05 5.0 MEDIUM 5.3 MEDIUM
In Eclipse Openj9 before version 0.32.0, Java 8 & 11 fail to throw the exception captured during bytecode verification when verification is triggered by a MethodHandle invocation, allowing unverified methods to be invoked using MethodHandles.
CVE-2021-28170 3 Eclipse, Oracle, Quarkus 4 Jakarta Expression Language, Communications Cloud Native Core Policy, Weblogic Server and 1 more 2022-04-25 5.0 MEDIUM 5.3 MEDIUM
In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.