Filtered by vendor Eclipse
Subscribe
Total
220 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-41041 | 2 Eclipse, Oracle | 2 Openj9, Java Se | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Eclipse Openj9 before version 0.32.0, Java 8 & 11 fail to throw the exception captured during bytecode verification when verification is triggered by a MethodHandle invocation, allowing unverified methods to be invoked using MethodHandles. | |||||
| CVE-2021-41040 | 1 Eclipse | 1 Wakaama | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In Eclipse Wakaama, ever since its inception until 2021-01-14, the CoAP parsing code does not properly sanitize network-received data. | |||||
| CVE-2021-41039 | 1 Eclipse | 1 Mosquitto | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In versions 1.6 to 2.0.11 of Eclipse Mosquitto, an MQTT v5 client connecting with a large number of user-property properties could cause excessive CPU usage, leading to a loss of performance and possible denial of service. | |||||
| CVE-2021-41038 | 1 Eclipse | 1 Theia | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| In versions of the @theia/plugin-ext component of Eclipse Theia prior to 1.18.0, Webview contents can be hijacked via postMessage(). | |||||
| CVE-2021-41037 | 1 Eclipse | 1 Equinox P2 | 2024-11-21 | 6.8 MEDIUM | 10.0 CRITICAL |
| In Eclipse p2, installable units are able to alter the Eclipse Platform installation and the local machine via touchpoints during installation. Those touchpoints can, for example, alter the command-line used to start the application, injecting things like agent or other settings that usually require particular attention in term of security. Although p2 has built-in strategies to ensure artifacts are signed and then to help establish trust, there is no such strategy for the metadata part that does configure such touchpoints. As a result, it's possible to install a unit that will run malicious code during installation without user receiving any warning about this installation step being risky when coming from untrusted source. | |||||
| CVE-2021-41036 | 1 Eclipse | 1 Paho Mqtt C\/c\+\+ Client | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In versions prior to 1.1 of the Eclipse Paho MQTT C Client, the client does not check rem_len size in readpacket. | |||||
| CVE-2021-41035 | 1 Eclipse | 1 Openj9 | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In Eclipse Openj9 before version 0.29.0, the JVM does not throw IllegalAccessError for MethodHandles that invoke inaccessible interface methods. | |||||
| CVE-2021-41034 | 1 Eclipse | 1 Che | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| The build of some language stacks of Eclipse Che version 6 includes pulling some binaries from an unsecured HTTP endpoint. As a consequence the builds of such stacks are vulnerable to MITM attacks that allow the replacement of the original binaries with arbitrary ones. The stacks involved are Java 8 (alpine and centos), Android and PHP. The vulnerability is not exploitable at runtime but only when building Che. | |||||
| CVE-2021-41033 | 1 Eclipse | 1 Equinox | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| In all released versions of Eclipse Equinox, at least until version 4.21 (September 2021), installation can be vulnerable to man-in-the-middle attack if using p2 repos that are HTTP; that can then be exploited to serve incorrect p2 metadata and entirely alter the local installation, particularly by installing plug-ins that may then run malicious code. | |||||
| CVE-2021-38443 | 1 Eclipse | 1 Cyclonedds | 2024-11-21 | 7.5 HIGH | 6.6 MEDIUM |
| Eclipse CycloneDDS versions prior to 0.8.0 improperly handle invalid structures, which may allow an attacker to write arbitrary values in the XML parser. | |||||
| CVE-2021-38441 | 1 Eclipse | 1 Cyclonedds | 2024-11-21 | 7.5 HIGH | 6.6 MEDIUM |
| Eclipse CycloneDDS versions prior to 0.8.0 are vulnerable to a write-what-where condition, which may allow an attacker to write arbitrary values in the XML parser. | |||||
| CVE-2021-34436 | 1 Eclipse | 1 Theia | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In Eclipse Theia 0.1.1 to 0.2.0, it is possible to exploit the default build to obtain remote code execution (and XXE) via the theia-xml-extension. This extension uses lsp4xml (recently renamed to LemMinX) in order to provide language support for XML. This is installed by default. | |||||
| CVE-2021-34435 | 1 Eclipse | 1 Theia | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension allows a user to preview HTML files in an iframe inside the IDE. But with the way it is made it is possible for a previewed HTML file to trigger an RCE. This exploit only happens if a user previews a malicious file.. | |||||
| CVE-2021-34434 | 2 Eclipse, Fedoraproject | 2 Mosquitto, Fedora | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then existing subscriptions for that client are not revoked. | |||||
| CVE-2021-34433 | 1 Eclipse | 1 Californium | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In Eclipse Californium version 2.0.0 to 2.6.4 and 3.0.0-M1 to 3.0.0-M3, the certificate based (x509 and RPK) DTLS handshakes accidentally succeeds without verifying the server side's signature on the client side, if that signature is not included in the server's ServerKeyExchange. | |||||
| CVE-2021-34432 | 1 Eclipse | 1 Mosquitto | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In Eclipse Mosquitto versions 2.07 and earlier, the server will crash if the client tries to send a PUBLISH packet with topic length = 0. | |||||
| CVE-2021-34431 | 1 Eclipse | 1 Mosquitto | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Eclipse Mosquitto version 1.6 to 2.0.10, if an authenticated client that had connected with MQTT v5 sent a crafted CONNECT message to the broker a memory leak would occur, which could be used to provide a DoS attack against the broker. | |||||
| CVE-2021-34430 | 1 Eclipse | 1 Tinydtls | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Eclipse TinyDTLS through 0.9-rc1 relies on the rand function in the C library, which makes it easier for remote attackers to compute the master key and then decrypt DTLS traffic. | |||||
| CVE-2021-34429 | 3 Eclipse, Netapp, Oracle | 18 Jetty, E-series Santricity Os Controller, E-series Santricity Web Services and 15 more | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5. | |||||
| CVE-2021-34428 | 4 Debian, Eclipse, Netapp and 1 more | 16 Debian Linux, Jetty, Active Iq Unified Manager and 13 more | 2024-11-21 | 3.6 LOW | 2.9 LOW |
| For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in. | |||||