Filtered by vendor Eclipse
Subscribe
Total
162 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-18212 | 3 Eclipse, Theia Xml Extension Project, Xml Language Server Project | 3 Wild Web Developer, Theia Xml Extension, Xml Server Project | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
XMLLanguageService.java in XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows a remote attacker to write to arbitrary files via Directory Traversal. | |||||
CVE-2019-17632 | 1 Eclipse | 1 Jetty | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118, the generation of default unhandled Error response content (in text/html and text/json Content-Type) does not escape Exception messages in stacktraces included in error output. | |||||
CVE-2019-11775 | 2 Eclipse, Redhat | 5 Openj9, Enterprise Linux Desktop, Enterprise Linux Server and 2 more | 2023-12-10 | 5.8 MEDIUM | 7.4 HIGH |
All builds of Eclipse OpenJ9 prior to 0.15 contain a bug where the loop versioner may fail to privatize a value that is pulled out of the loop by versioning - for example if there is a condition that is moved out of the loop that reads a field we may not privatize the value of that field in the modified copy of the loop allowing the test to see one value of the field and subsequently the loop to see a modified field value without retesting the condition moved out of the loop. This can lead to a variety of different issues but read out of array bounds is one major consequence of these problems. | |||||
CVE-2019-11773 | 1 Eclipse | 1 Omr | 2023-12-10 | 4.4 MEDIUM | 7.8 HIGH |
Prior to 0.1, AIX builds of Eclipse OMR contain unused RPATHs which may facilitate code injection and privilege elevation by local users. | |||||
CVE-2019-10240 | 1 Eclipse | 1 Hawkbit | 2023-12-10 | 6.8 MEDIUM | 8.1 HIGH |
Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected. | |||||
CVE-2019-11778 | 1 Eclipse | 1 Mosquitto | 2023-12-10 | 5.5 MEDIUM | 5.4 MEDIUM |
If an MQTT v5 client connects to Eclipse Mosquitto versions 1.6.0 to 1.6.4 inclusive, sets a last will and testament, sets a will delay interval, sets a session expiry interval, and the will delay interval is set longer than the session expiry interval, then a use after free error occurs, which has the potential to cause a crash in some situations. | |||||
CVE-2019-11776 | 1 Eclipse | 1 Business Intelligence And Reporting Tools | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
In Eclipse BIRT versions 1.0 to 4.7, the Report Viewer allows Reflected XSS in URL parameter. Attacker can execute the payload in victim's browser context. | |||||
CVE-2018-12551 | 1 Eclipse | 1 Mosquitto | 2023-12-10 | 6.8 MEDIUM | 8.1 HIGH |
When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use a password file for authentication, any malformed data in the password file will be treated as valid. This typically means that the malformed data becomes a username and no password. If this occurs, clients can circumvent authentication and get access to the broker by using the malformed username. In particular, a blank line will be treated as a valid empty username. Other security measures are unaffected. Users who have only used the mosquitto_passwd utility to create and modify their password files are unaffected by this vulnerability. | |||||
CVE-2019-10247 | 4 Debian, Eclipse, Netapp and 1 more | 26 Debian Linux, Jetty, Element and 23 more | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context. | |||||
CVE-2017-7655 | 2 Debian, Eclipse | 2 Debian Linux, Mosquitto | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
In Eclipse Mosquitto version from 1.0 to 1.4.15, a Null Dereference vulnerability was found in the Mosquitto library which could lead to crashes for those applications using the library. | |||||
CVE-2018-12550 | 1 Eclipse | 1 Mosquitto | 2023-12-10 | 6.8 MEDIUM | 8.1 HIGH |
When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use an ACL file, and that ACL file is empty, or contains only comments or blank lines, then Mosquitto will treat this as though no ACL file has been defined and use a default allow policy. The new behaviour is to have an empty ACL file mean that all access is denied, which is not a useful configuration but is not unexpected. | |||||
CVE-2019-11770 | 1 Eclipse | 1 Buildship | 2023-12-10 | 6.8 MEDIUM | 8.1 HIGH |
In Eclipse Buildship versions prior to 3.1.1, the build files indicate that this project is resolving dependencies over HTTP instead of HTTPS. Any of these artifacts could have been MITM to maliciously compromise them and infect the build artifacts that were produced. Additionally, if any of these JARs or other dependencies were compromised, any developers using these could continue to be infected past updating to fix this. | |||||
CVE-2019-10246 | 4 Eclipse, Microsoft, Netapp and 1 more | 26 Jetty, Windows, Element and 23 more | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories. | |||||
CVE-2018-12545 | 2 Eclipse, Fedoraproject | 2 Jetty, Fedora | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings. | |||||
CVE-2019-11774 | 1 Eclipse | 1 Omr | 2023-12-10 | 5.8 MEDIUM | 7.4 HIGH |
Prior to 0.1, all builds of Eclipse OMR contain a bug where the loop versioner may fail to privatize a value that is pulled out of the loop by versioning - for example if there is a condition that is moved out of the loop that reads a field we may not privatize the value of that field in the modified copy of the loop allowing the test to see one value of the field and subsequently the loop to see a modified field value without retesting the condition moved out of the loop. This can lead to a variety of different issues but read out of array bounds is one major consequence of these problems. | |||||
CVE-2019-10242 | 1 Eclipse | 1 Kura | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
In Eclipse Kura versions up to 4.0.0, the SkinServlet did not checked the path passed during servlet call, potentially allowing path traversal in get requests for a limited number of file types. | |||||
CVE-2019-11772 | 1 Eclipse | 1 Openj9 | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
In Eclipse OpenJ9 prior to 0.15, the String.getBytes(int, int, byte[], int) method does not verify that the provided byte array is non-null nor that the provided index is in bounds when compiled by the JIT. This allows arbitrary writes to any 32-bit address or beyond the end of a byte array within Java code run under a SecurityManager. | |||||
CVE-2019-11771 | 1 Eclipse | 1 Openj9 | 2023-12-10 | 4.6 MEDIUM | 7.8 HIGH |
AIX builds of Eclipse OpenJ9 before 0.15.0 contain unused RPATHs which may facilitate code injection and privilege elevation by local users. | |||||
CVE-2018-12546 | 1 Eclipse | 1 Mosquitto | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
In Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) when a client publishes a retained message to a topic, then has its access to that topic revoked, the retained message will still be published to clients that subscribe to that topic in the future. In some applications this may result in clients being able cause effects that would otherwise not be allowed. | |||||
CVE-2019-10245 | 2 Eclipse, Redhat | 6 Openj9, Enterprise Linux, Enterprise Linux Desktop and 3 more | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
In Eclipse OpenJ9 prior to the 0.14.0 release, the Java bytecode verifier incorrectly allows a method to execute past the end of bytecode array causing crashes. Eclipse OpenJ9 v0.14.0 correctly detects this case and rejects the attempted class load. |