Filtered by vendor Eclipse
Subscribe
Total
162 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-38441 | 1 Eclipse | 1 Cyclonedds | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Eclipse CycloneDDS versions prior to 0.8.0 are vulnerable to a write-what-where condition, which may allow an attacker to write arbitrary values in the XML parser. | |||||
CVE-2022-0673 | 1 Eclipse | 1 Lemminx | 2023-12-10 | 6.4 MEDIUM | 6.5 MEDIUM |
A flaw was found in LemMinX in versions prior to 0.19.0. Cache poisoning of external schema files due to directory traversal. | |||||
CVE-2021-41036 | 1 Eclipse | 1 Paho Mqtt C\/c\+\+ Client | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
In versions prior to 1.1 of the Eclipse Paho MQTT C Client, the client does not check rem_len size in readpacket. | |||||
CVE-2021-41033 | 1 Eclipse | 1 Equinox | 2023-12-10 | 6.8 MEDIUM | 8.1 HIGH |
In all released versions of Eclipse Equinox, at least until version 4.21 (September 2021), installation can be vulnerable to man-in-the-middle attack if using p2 repos that are HTTP; that can then be exploited to serve incorrect p2 metadata and entirely alter the local installation, particularly by installing plug-ins that may then run malicious code. | |||||
CVE-2021-41035 | 1 Eclipse | 1 Openj9 | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
In Eclipse Openj9 before version 0.29.0, the JVM does not throw IllegalAccessError for MethodHandles that invoke inaccessible interface methods. | |||||
CVE-2021-41034 | 1 Eclipse | 1 Che | 2023-12-10 | 6.8 MEDIUM | 8.1 HIGH |
The build of some language stacks of Eclipse Che version 6 includes pulling some binaries from an unsecured HTTP endpoint. As a consequence the builds of such stacks are vulnerable to MITM attacks that allow the replacement of the original binaries with arbitrary ones. The stacks involved are Java 8 (alpine and centos), Android and PHP. The vulnerability is not exploitable at runtime but only when building Che. | |||||
CVE-2021-32834 | 1 Eclipse | 1 Keti | 2023-12-10 | 6.5 MEDIUM | 9.9 CRITICAL |
Eclipse Keti is a service that was designed to protect RESTfuls API using Attribute Based Access Control (ABAC). In Keti a user able to create Policy Sets can run arbitrary code by sending malicious Groovy scripts which will escape the configured Groovy sandbox. This vulnerability is known to exist in the latest commit at the time of writing this CVE (commit a1c8dbe). For more details see the referenced GHSL-2021-063. | |||||
CVE-2021-41038 | 1 Eclipse | 1 Theia | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
In versions of the @theia/plugin-ext component of Eclipse Theia prior to 1.18.0, Webview contents can be hijacked via postMessage(). | |||||
CVE-2021-41040 | 1 Eclipse | 1 Wakaama | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
In Eclipse Wakaama, ever since its inception until 2021-01-14, the CoAP parsing code does not properly sanitize network-received data. | |||||
CVE-2021-32835 | 1 Eclipse | 1 Keti | 2023-12-10 | 6.5 MEDIUM | 9.9 CRITICAL |
Eclipse Keti is a service that was designed to protect RESTfuls API using Attribute Based Access Control (ABAC). In Keti a sandbox escape vulnerability may lead to post-authentication Remote Code execution. This vulnerability is known to exist in the latest commit at the time of writing this CVE (commit a1c8dbe). For more details see the referenced GHSL-2021-063. | |||||
CVE-2021-41039 | 1 Eclipse | 1 Mosquitto | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
In versions 1.6 to 2.0.11 of Eclipse Mosquitto, an MQTT v5 client connecting with a large number of user-property properties could cause excessive CPU usage, leading to a loss of performance and possible denial of service. | |||||
CVE-2021-34429 | 3 Eclipse, Netapp, Oracle | 18 Jetty, E-series Santricity Os Controller, E-series Santricity Web Services and 15 more | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5. | |||||
CVE-2021-34430 | 1 Eclipse | 1 Tinydtls | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
Eclipse TinyDTLS through 0.9-rc1 relies on the rand function in the C library, which makes it easier for remote attackers to compute the master key and then decrypt DTLS traffic. | |||||
CVE-2020-6950 | 2 Eclipse, Oracle | 9 Mojarra, Banking Enterprise Default Management, Banking Platform and 6 more | 2023-12-10 | 4.3 MEDIUM | 6.5 MEDIUM |
Directory traversal in Eclipse Mojarra before 2.3.14 allows attackers to read arbitrary files via the loc parameter or con parameter. | |||||
CVE-2021-34427 | 1 Eclipse | 1 Business Intelligence And Reporting Tools | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
In Eclipse BIRT versions 4.8.0 and earlier, an attacker can use query parameters to create a JSP file which is accessible from remote (current BIRT viewer dir) to inject JSP code into the running instance. | |||||
CVE-2021-28167 | 1 Eclipse | 1 Openj9 | 2023-12-10 | 6.4 MEDIUM | 6.5 MEDIUM |
In Eclipse Openj9 to version 0.25.0, usage of the jdk.internal.reflect.ConstantPool API causes the JVM in some cases to pre-resolve certain constant pool entries. This allows a user to call static methods or access static members without running the class initialization method, and may allow a user to observe uninitialized values. | |||||
CVE-2021-34434 | 2 Eclipse, Fedoraproject | 2 Mosquitto, Fedora | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then existing subscriptions for that client are not revoked. | |||||
CVE-2021-28170 | 3 Eclipse, Oracle, Quarkus | 4 Jakarta Expression Language, Communications Cloud Native Core Policy, Weblogic Server and 1 more | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid. | |||||
CVE-2020-18735 | 1 Eclipse | 1 Cyclone Data Distribution Service | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
A heap buffer overflow in /src/dds_stream.c of Eclipse IOT Cyclone DDS Project v0.1.0 causes the DDS subscriber server to crash. | |||||
CVE-2021-34428 | 4 Debian, Eclipse, Netapp and 1 more | 16 Debian Linux, Jetty, Active Iq Unified Manager and 13 more | 2023-12-10 | 3.6 LOW | 3.5 LOW |
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in. |