Vulnerabilities (CVE)

Filtered by vendor Eclipse Subscribe
Total 120 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-41038 1 Eclipse 1 Theia 2021-11-13 4.3 MEDIUM 6.1 MEDIUM
In versions of the @theia/plugin-ext component of Eclipse Theia prior to 1.18.0, Webview contents can be hijacked via postMessage().
CVE-2021-41036 1 Eclipse 1 Paho Mqtt C\/c\+\+ Client 2021-11-04 7.5 HIGH 9.8 CRITICAL
In versions prior to 1.1 of the Eclipse Paho MQTT C Client, the client does not check rem_len size in readpacket.
CVE-2017-7655 2 Debian, Eclipse 2 Debian Linux, Mosquitto 2021-11-02 5.0 MEDIUM 7.5 HIGH
In Eclipse Mosquitto version from 1.0 to 1.4.15, a Null Dereference vulnerability was found in the Mosquitto library which could lead to crashes for those applications using the library.
CVE-2019-11779 5 Canonical, Debian, Eclipse and 2 more 6 Ubuntu Linux, Debian Linux, Mosquitto and 3 more 2021-10-28 4.0 MEDIUM 6.5 MEDIUM
In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or more '/' characters, i.e. the topic hierarchy separator, then a stack overflow will occur.
CVE-2019-10240 1 Eclipse 1 Hawkbit 2021-10-28 6.8 MEDIUM 8.1 HIGH
Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected.
CVE-2019-10245 2 Eclipse, Redhat 6 Openj9, Enterprise Linux, Enterprise Linux Desktop and 3 more 2021-10-28 5.0 MEDIUM 7.5 HIGH
In Eclipse OpenJ9 prior to the 0.14.0 release, the Java bytecode verifier incorrectly allows a method to execute past the end of bytecode array causing crashes. Eclipse OpenJ9 v0.14.0 correctly detects this case and rejects the attempted class load.
CVE-2019-11773 1 Eclipse 1 Omr 2021-10-28 4.4 MEDIUM 7.8 HIGH
Prior to 0.1, AIX builds of Eclipse OMR contain unused RPATHs which may facilitate code injection and privilege elevation by local users.
CVE-2021-34429 3 Apache, Eclipse, Netapp 9 Zookeeper, Jetty, E-series Santricity Os Controller and 6 more 2021-10-28 5.0 MEDIUM 5.3 MEDIUM
For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.
CVE-2021-28164 3 Apache, Eclipse, Netapp 15 Ignite, Solr, Zookeeper and 12 more 2021-10-28 5.0 MEDIUM 5.3 MEDIUM
In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
CVE-2021-41035 1 Eclipse 1 Openj9 2021-10-28 7.5 HIGH 9.8 CRITICAL
In Eclipse Openj9 before version 0.29.0, the JVM does not throw IllegalAccessError for MethodHandles that invoke inaccessible interface methods.
CVE-2021-28170 2 Eclipse, Quarkus 2 Jakarta Expression Language, Quarkus 2021-10-20 5.0 MEDIUM 5.3 MEDIUM
In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.
CVE-2021-34428 3 Debian, Eclipse, Netapp 8 Debian Linux, Jetty, Active Iq Unified Manager and 5 more 2021-10-20 3.6 LOW 3.5 LOW
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
CVE-2021-28165 1 Eclipse 1 Jetty 2021-10-20 7.8 HIGH 7.5 HIGH
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
CVE-2021-28163 4 Apache, Eclipse, Fedoraproject and 1 more 15 Ignite, Solr, Jetty and 12 more 2021-10-20 4.0 MEDIUM 2.7 LOW
In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.
CVE-2021-28169 2 Debian, Eclipse 2 Debian Linux, Jetty 2021-10-20 5.0 MEDIUM 5.3 MEDIUM
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
CVE-2020-27218 2 Eclipse, Netapp 3 Jetty, Oncommand System Manager, Snap Creator Framework 2021-10-20 5.8 MEDIUM 4.8 MEDIUM
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.
CVE-2020-6950 1 Eclipse 1 Mojarra 2021-10-20 4.3 MEDIUM 6.5 MEDIUM
Directory traversal in Eclipse Mojarra before 2.3.14 allows attackers to read arbitrary files via the loc parameter or con parameter.
CVE-2020-27216 6 Apache, Debian, Eclipse and 3 more 12 Beam, Debian Linux, Jetty and 9 more 2021-10-20 4.4 MEDIUM 7.0 HIGH
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.
CVE-2021-41034 1 Eclipse 1 Che 2021-10-07 6.8 MEDIUM 8.1 HIGH
The build of some language stacks of Eclipse Che version 6 includes pulling some binaries from an unsecured HTTP endpoint. As a consequence the builds of such stacks are vulnerable to MITM attacks that allow the replacement of the original binaries with arbitrary ones. The stacks involved are Java 8 (alpine and centos), Android and PHP. The vulnerability is not exploitable at runtime but only when building Che.
CVE-2021-34434 2 Eclipse, Fedoraproject 2 Mosquitto, Fedora 2021-09-24 5.0 MEDIUM 5.3 MEDIUM
In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then existing subscriptions for that client are not revoked.