Vulnerabilities (CVE)

Filtered by vendor Eclipse Subscribe
Total 162 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-18212 3 Eclipse, Theia Xml Extension Project, Xml Language Server Project 3 Wild Web Developer, Theia Xml Extension, Xml Server Project 2023-12-10 4.0 MEDIUM 6.5 MEDIUM
XMLLanguageService.java in XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows a remote attacker to write to arbitrary files via Directory Traversal.
CVE-2019-17632 1 Eclipse 1 Jetty 2023-12-10 4.3 MEDIUM 6.1 MEDIUM
In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118, the generation of default unhandled Error response content (in text/html and text/json Content-Type) does not escape Exception messages in stacktraces included in error output.
CVE-2019-11775 2 Eclipse, Redhat 5 Openj9, Enterprise Linux Desktop, Enterprise Linux Server and 2 more 2023-12-10 5.8 MEDIUM 7.4 HIGH
All builds of Eclipse OpenJ9 prior to 0.15 contain a bug where the loop versioner may fail to privatize a value that is pulled out of the loop by versioning - for example if there is a condition that is moved out of the loop that reads a field we may not privatize the value of that field in the modified copy of the loop allowing the test to see one value of the field and subsequently the loop to see a modified field value without retesting the condition moved out of the loop. This can lead to a variety of different issues but read out of array bounds is one major consequence of these problems.
CVE-2019-11773 1 Eclipse 1 Omr 2023-12-10 4.4 MEDIUM 7.8 HIGH
Prior to 0.1, AIX builds of Eclipse OMR contain unused RPATHs which may facilitate code injection and privilege elevation by local users.
CVE-2019-10240 1 Eclipse 1 Hawkbit 2023-12-10 6.8 MEDIUM 8.1 HIGH
Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected.
CVE-2019-11778 1 Eclipse 1 Mosquitto 2023-12-10 5.5 MEDIUM 5.4 MEDIUM
If an MQTT v5 client connects to Eclipse Mosquitto versions 1.6.0 to 1.6.4 inclusive, sets a last will and testament, sets a will delay interval, sets a session expiry interval, and the will delay interval is set longer than the session expiry interval, then a use after free error occurs, which has the potential to cause a crash in some situations.
CVE-2019-11776 1 Eclipse 1 Business Intelligence And Reporting Tools 2023-12-10 4.3 MEDIUM 6.1 MEDIUM
In Eclipse BIRT versions 1.0 to 4.7, the Report Viewer allows Reflected XSS in URL parameter. Attacker can execute the payload in victim's browser context.
CVE-2018-12551 1 Eclipse 1 Mosquitto 2023-12-10 6.8 MEDIUM 8.1 HIGH
When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use a password file for authentication, any malformed data in the password file will be treated as valid. This typically means that the malformed data becomes a username and no password. If this occurs, clients can circumvent authentication and get access to the broker by using the malformed username. In particular, a blank line will be treated as a valid empty username. Other security measures are unaffected. Users who have only used the mosquitto_passwd utility to create and modify their password files are unaffected by this vulnerability.
CVE-2019-10247 4 Debian, Eclipse, Netapp and 1 more 26 Debian Linux, Jetty, Element and 23 more 2023-12-10 5.0 MEDIUM 5.3 MEDIUM
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
CVE-2017-7655 2 Debian, Eclipse 2 Debian Linux, Mosquitto 2023-12-10 5.0 MEDIUM 7.5 HIGH
In Eclipse Mosquitto version from 1.0 to 1.4.15, a Null Dereference vulnerability was found in the Mosquitto library which could lead to crashes for those applications using the library.
CVE-2018-12550 1 Eclipse 1 Mosquitto 2023-12-10 6.8 MEDIUM 8.1 HIGH
When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use an ACL file, and that ACL file is empty, or contains only comments or blank lines, then Mosquitto will treat this as though no ACL file has been defined and use a default allow policy. The new behaviour is to have an empty ACL file mean that all access is denied, which is not a useful configuration but is not unexpected.
CVE-2019-11770 1 Eclipse 1 Buildship 2023-12-10 6.8 MEDIUM 8.1 HIGH
In Eclipse Buildship versions prior to 3.1.1, the build files indicate that this project is resolving dependencies over HTTP instead of HTTPS. Any of these artifacts could have been MITM to maliciously compromise them and infect the build artifacts that were produced. Additionally, if any of these JARs or other dependencies were compromised, any developers using these could continue to be infected past updating to fix this.
CVE-2019-10246 4 Eclipse, Microsoft, Netapp and 1 more 26 Jetty, Windows, Element and 23 more 2023-12-10 5.0 MEDIUM 5.3 MEDIUM
In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories.
CVE-2018-12545 2 Eclipse, Fedoraproject 2 Jetty, Fedora 2023-12-10 5.0 MEDIUM 7.5 HIGH
In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings.
CVE-2019-11774 1 Eclipse 1 Omr 2023-12-10 5.8 MEDIUM 7.4 HIGH
Prior to 0.1, all builds of Eclipse OMR contain a bug where the loop versioner may fail to privatize a value that is pulled out of the loop by versioning - for example if there is a condition that is moved out of the loop that reads a field we may not privatize the value of that field in the modified copy of the loop allowing the test to see one value of the field and subsequently the loop to see a modified field value without retesting the condition moved out of the loop. This can lead to a variety of different issues but read out of array bounds is one major consequence of these problems.
CVE-2019-10242 1 Eclipse 1 Kura 2023-12-10 5.0 MEDIUM 5.3 MEDIUM
In Eclipse Kura versions up to 4.0.0, the SkinServlet did not checked the path passed during servlet call, potentially allowing path traversal in get requests for a limited number of file types.
CVE-2019-11772 1 Eclipse 1 Openj9 2023-12-10 7.5 HIGH 9.8 CRITICAL
In Eclipse OpenJ9 prior to 0.15, the String.getBytes(int, int, byte[], int) method does not verify that the provided byte array is non-null nor that the provided index is in bounds when compiled by the JIT. This allows arbitrary writes to any 32-bit address or beyond the end of a byte array within Java code run under a SecurityManager.
CVE-2019-11771 1 Eclipse 1 Openj9 2023-12-10 4.6 MEDIUM 7.8 HIGH
AIX builds of Eclipse OpenJ9 before 0.15.0 contain unused RPATHs which may facilitate code injection and privilege elevation by local users.
CVE-2018-12546 1 Eclipse 1 Mosquitto 2023-12-10 4.0 MEDIUM 6.5 MEDIUM
In Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) when a client publishes a retained message to a topic, then has its access to that topic revoked, the retained message will still be published to clients that subscribe to that topic in the future. In some applications this may result in clients being able cause effects that would otherwise not be allowed.
CVE-2019-10245 2 Eclipse, Redhat 6 Openj9, Enterprise Linux, Enterprise Linux Desktop and 3 more 2023-12-10 5.0 MEDIUM 7.5 HIGH
In Eclipse OpenJ9 prior to the 0.14.0 release, the Java bytecode verifier incorrectly allows a method to execute past the end of bytecode array causing crashes. Eclipse OpenJ9 v0.14.0 correctly detects this case and rejects the attempted class load.