Filtered by vendor Eclipse
Subscribe
Total
193 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-10029 | 1 Eclipse | 1 Glassfish | 2025-07-16 | N/A | 6.1 MEDIUM |
| In Eclipse GlassFish version 7.0.15 is possible to perform Reflected Cross-site scripting attacks in the Administration Console. | |||||
| CVE-2024-10031 | 1 Eclipse | 1 Glassfish | 2025-07-16 | N/A | 5.4 MEDIUM |
| In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site Scripting attacks by modifying the configuration file in the underlying operating system. | |||||
| CVE-2024-10032 | 1 Eclipse | 1 Glassfish | 2025-07-16 | N/A | 5.4 MEDIUM |
| In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site scripting attacks in the Administration Console. | |||||
| CVE-2024-9342 | 1 Eclipse | 1 Glassfish | 2025-07-16 | N/A | 9.8 CRITICAL |
| In Eclipse GlassFish version 7.0.16 or earlier it is possible to perform Login Brute Force attacks as there is no limitation in the number of failed login attempts. | |||||
| CVE-2024-9343 | 1 Eclipse | 1 Glassfish | 2025-07-16 | N/A | 6.1 MEDIUM |
| In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site scripting attacks in the Administration Console. | |||||
| CVE-2024-9408 | 1 Eclipse | 1 Glassfish | 2025-07-16 | N/A | 9.8 CRITICAL |
| In Eclipse GlassFish since version 6.2.5 it is possible to perform a Server Side Request Forgery attack in specific endpoints. | |||||
| CVE-2024-6763 | 1 Eclipse | 1 Jetty | 2025-07-10 | N/A | 3.7 LOW |
| Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing. The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI differs from the common browsers in how it handles a URI that would be considered invalid if fully validated against the RRC. Specifically HttpURI and the browser may differ on the value of the host extracted from an invalid URI and thus a combination of Jetty and a vulnerable browser may be vulnerable to a open redirect attack or to a SSRF attack if the URI is used after passing validation checks. | |||||
| CVE-2023-28366 | 1 Eclipse | 1 Mosquitto | 2025-06-26 | N/A | 7.5 HIGH |
| The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN from the libc send function. | |||||
| CVE-2023-5632 | 1 Eclipse | 1 Mosquitto | 2025-06-25 | N/A | 7.5 HIGH |
| In Eclipse Mosquito before and including 2.0.5, establishing a connection to the mosquitto server without sending data causes the EPOLLOUT event to be added, which results excessive CPU consumption. This could be used by a malicious actor to perform denial of service type attack. This issue is fixed in 2.0.6 | |||||
| CVE-2025-4949 | 1 Eclipse | 1 Jgit | 2025-06-17 | N/A | 9.8 CRITICAL |
| In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues. | |||||
| CVE-2023-44487 | 32 Akka, Amazon, Apache and 29 more | 313 Http Server, Opensearch Data Prepper, Apisix and 310 more | 2025-06-11 | N/A | 7.5 HIGH |
| The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. | |||||
| CVE-2023-36479 | 2 Debian, Eclipse | 2 Debian Linux, Jetty | 2025-05-27 | N/A | 3.5 LOW |
| Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2. | |||||
| CVE-2022-3676 | 1 Eclipse | 1 Openj9 | 2025-05-07 | N/A | 6.5 MEDIUM |
| In Eclipse Openj9 before version 0.35.0, interface calls can be inlined without a runtime type check. Malicious bytecode could make use of this inlining to access or modify memory via an incompatible type. | |||||
| CVE-2017-7243 | 1 Eclipse | 1 Tinydtls | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| Eclipse tinydtls 0.8.2 for Eclipse IoT allows remote attackers to cause a denial of service (DTLS peer crash) by sending a "Change cipher spec" packet without pre-handshake. | |||||
| CVE-2017-9735 | 3 Debian, Eclipse, Oracle | 7 Debian Linux, Jetty, Communications Cloud Native Core Policy and 4 more | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords. | |||||
| CVE-2017-7650 | 2 Debian, Eclipse | 2 Debian Linux, Mosquitto | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Mosquitto before 1.4.12, pattern based ACLs can be bypassed by clients that set their username/client id to '#' or '+'. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto. | |||||
| CVE-2017-9868 | 2 Debian, Eclipse | 2 Debian Linux, Mosquitto | 2025-04-20 | 2.1 LOW | 5.5 MEDIUM |
| In Mosquitto through 1.4.12, mosquitto.db (aka the persistence file) is world readable, which allows local users to obtain sensitive MQTT topic information. | |||||
| CVE-2017-7649 | 1 Eclipse | 1 Kura | 2025-04-20 | 10.0 HIGH | 9.8 CRITICAL |
| The network enabled distribution of Kura before 2.1.0 takes control over the device's firewall setup but does not allow IPv6 firewall rules to be configured. Still the Equinox console port 5002 is left open, allowing to log into Kura without any user credentials over unencrypted telnet and executing commands using the Equinox "exec" command. As the process is running as "root" full control over the device can be acquired. IPv6 is also left in auto-configuration mode, accepting router advertisements automatically and assigns a MAC address based IPv6 address. | |||||
| CVE-2016-4800 | 2 Eclipse, Microsoft | 2 Jetty, Windows | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote attackers to bypass protected resource restrictions and other security constraints via a URL with certain escaped characters, related to backslashes. | |||||
| CVE-2015-2080 | 2 Eclipse, Fedoraproject | 2 Jetty, Fedora | 2025-04-12 | 5.0 MEDIUM | 7.5 HIGH |
| The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak. | |||||