Filtered by vendor Eclipse Subscriptions
Total 163 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2023-5763 1 Eclipse 1 Glassfish 2024-09-05 6.8 Medium
In Eclipse Glassfish 5 or 6, running with old versions of JDK (lower than 6u211, or < 7u201, or < 8u191), allows remote attackers to load malicious code on the server via access to insecure ORB listeners.
CVE-2023-4043 2 Eclipse, Redhat 6 Parsson, Camel Quarkus, Camel Spring Boot and 3 more 2024-09-05 5.9 Medium
In Eclipse Parsson before versions 1.1.4 and 1.0.5, Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to much larger processing time than one would expect. To mitigate the risk, parsson put in place a size limit for the numbers as well as their scale.
CVE-2023-4218 1 Eclipse 3 Eclipse Ide, Org.eclipse.core.runtime, Pde 2024-09-03 5 Medium
In Eclipse IDE versions < 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch).
CVE-2023-5676 2 Eclipse, Redhat 3 Openj9, Enterprise Linux, Rhel Extras 2024-08-29 4.1 Medium
In Eclipse OpenJ9 before version 0.41.0, the JVM can be forced into an infinite busy hang on a spinlock or a segmentation fault if a shutdown signal (SIGTERM, SIGINT or SIGHUP) is received before the JVM has finished initializing.
CVE-2024-43787 1 Eclipse 1 Hono 2024-08-23 5 Medium
Hono is a Web application framework that provides support for any JavaScript runtime. Hono CSRF middleware can be bypassed using crafted Content-Type header. MIME types are case insensitive, but isRequestedByFormElementRe only matches lower-case. As a result, attacker can bypass csrf middleware using upper-case form-like MIME type. This vulnerability is fixed in 4.5.8.
CVE-2023-44487 32 Akka, Amazon, Apache and 29 more 364 Http Server, Opensearch Data Prepper, Apisix and 361 more 2024-08-19 7.5 High
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVE-2018-20227 1 Eclipse 1 Rdf4j 2024-08-16 7.5 High
RDF4J 2.4.2 allows Directory Traversal via ../ in an entry in a ZIP archive.
CVE-2023-4759 4 Apple, Eclipse, Microsoft and 1 more 4 Macos, Jgit, Windows and 1 more 2024-08-07 8.8 High
Arbitrary File Overwrite in Eclipse JGit <= 6.6.0 In Eclipse JGit, all versions <= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive filesystem, or when a checkout from a clone of such a repository is performed on a case-insensitive filesystem. This can happen on checkout (DirCacheCheckout), merge (ResolveMerger via its WorkingTreeUpdater), pull (PullCommand using merge), and when applying a patch (PatchApplier). This can be exploited for remote code execution (RCE), for instance if the file written outside the working tree is a git filter that gets executed on a subsequent git command. The issue occurs only on case-insensitive filesystems, like the default filesystems on Windows and macOS. The user performing the clone or checkout must have the rights to create symbolic links for the problem to occur, and symbolic links must be enabled in the git configuration. Setting git configuration option core.symlinks = false before checking out avoids the problem. The issue was fixed in Eclipse JGit version 6.6.1.202309021850-r and 6.7.0.202309050840-r, available via Maven Central https://repo1.maven.org/maven2/org/eclipse/jgit/  and repo.eclipse.org https://repo.eclipse.org/content/repositories/jgit-releases/ . A backport is available in 5.13.3 starting from 5.13.3.202401111512-r. The JGit maintainers would like to thank RyotaK for finding and reporting this issue.
CVE-2008-7271 1 Eclipse 1 Eclipse Ide 2024-08-07 N/A
Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE, possibly 3.3.2, allow remote attackers to inject arbitrary web script or HTML via (1) the searchWord parameter to help/advanced/searchView.jsp or (2) the workingSet parameter in an add action to help/advanced/workingSetManager.jsp, a different issue than CVE-2010-4647.
CVE-2009-5045 2 Debian, Eclipse 2 Debian Linux, Jetty 2024-08-07 7.5 High
Dump Servlet information leak in jetty before 6.1.22.
CVE-2009-5046 2 Debian, Eclipse 2 Debian Linux, Jetty 2024-08-07 6.1 Medium
JSP Dump and Session Dump Servlet XSS in jetty before 6.1.22.
CVE-2009-4521 1 Eclipse 1 Birt 2024-08-07 N/A
Cross-site scripting (XSS) vulnerability in birt-viewer/run in Eclipse Business Intelligence and Reporting Tools (BIRT) before 2.5.0, as used in KonaKart and other products, allows remote attackers to inject arbitrary web script or HTML via the __report parameter.
CVE-2010-4647 2 Eclipse, Redhat 2 Eclipse Ide, Enterprise Linux 2024-08-07 N/A
Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE before 3.6.2 allow remote attackers to inject arbitrary web script or HTML via the query string to (1) help/index.jsp or (2) help/advanced/content.jsp.
CVE-2014-9390 6 Apple, Eclipse, Git-scm and 3 more 8 Mac Os X, Xcode, Egit and 5 more 2024-08-06 9.8 Critical
Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.
CVE-2015-8031 1 Eclipse 1 Hudson 2024-08-06 9.8 Critical
Hudson (aka org.jvnet.hudson.main:hudson-core) before 3.3.2 allows XXE attacks.
CVE-2015-2080 2 Eclipse, Fedoraproject 2 Jetty, Fedora 2024-08-06 N/A
The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak.
CVE-2016-4800 2 Eclipse, Microsoft 2 Jetty, Windows 2024-08-06 N/A
The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote attackers to bypass protected resource restrictions and other security constraints via a URL with certain escaped characters, related to backslashes.
CVE-2017-9868 2 Debian, Eclipse 2 Debian Linux, Mosquitto 2024-08-05 N/A
In Mosquitto through 1.4.12, mosquitto.db (aka the persistence file) is world readable, which allows local users to obtain sensitive MQTT topic information.
CVE-2017-9735 3 Debian, Eclipse, Oracle 7 Debian Linux, Jetty, Communications Cloud Native Core Policy and 4 more 2024-08-05 7.5 High
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
CVE-2017-8315 1 Eclipse 1 Ide 2024-08-05 N/A
Eclipse XML parser for the Eclipse IDE versions 2017.2.5 and earlier was found vulnerable to an XML External Entity attack. An attacker can exploit the vulnerability by implementing malicious code on Androidmanifest.xml.