Filtered by vendor Eclipse
Subscriptions
Total
166 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-18735 | 1 Eclipse | 1 Cyclone Data Distribution Service | 2024-08-04 | 7.5 High |
| A heap buffer overflow in /src/dds_stream.c of Eclipse IOT Cyclone DDS Project v0.1.0 causes the DDS subscriber server to crash. | ||||
| CVE-2020-18734 | 1 Eclipse | 1 Cyclone Data Distribution Service | 2024-08-04 | 7.5 High |
| A stack buffer overflow in /ddsi/q_bitset.h of Eclipse IOT Cyclone DDS Project v0.1.0 causes the DDS subscriber server to crash. | ||||
| CVE-2020-14368 | 1 Eclipse | 1 Che | 2024-08-04 | 7.1 High |
| A flaw was found in Eclipse Che in versions prior to 7.14.0 that impacts CodeReady Workspaces. When configured with cookies authentication, Theia IDE doesn't properly set the SameSite value, allowing a Cross-Site Request Forgery (CSRF) and consequently allowing a cross-site WebSocket hijack on Theia IDE. This flaw allows an attacker to gain full access to the victim's workspace through the /services endpoint. To perform a successful attack, the attacker conducts a Man-in-the-middle attack (MITM) and tricks the victim into executing a request via an untrusted link, which performs the CSRF and the Socket hijack. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. | ||||
| CVE-2020-10689 | 2 Eclipse, Redhat | 2 Che, Codeready Workspaces | 2024-08-04 | 6.4 Medium |
| A flaw was found in the Eclipse Che up to version 7.8.x, where it did not properly restrict access to workspace pods. An authenticated user can exploit this flaw to bypass JWT proxy and gain access to the workspace pods of another user. Successful exploitation requires knowledge of the service name and namespace of the target pod. | ||||
| CVE-2020-6950 | 3 Eclipse, Oracle, Redhat | 14 Mojarra, Banking Enterprise Default Management, Banking Platform and 11 more | 2024-08-04 | 6.5 Medium |
| Directory traversal in Eclipse Mojarra before 2.3.14 allows attackers to read arbitrary files via the loc parameter or con parameter. | ||||
| CVE-2021-41041 | 3 Eclipse, Oracle, Redhat | 4 Openj9, Java Se, Enterprise Linux and 1 more | 2024-08-04 | 5.3 Medium |
| In Eclipse Openj9 before version 0.32.0, Java 8 & 11 fail to throw the exception captured during bytecode verification when verification is triggered by a MethodHandle invocation, allowing unverified methods to be invoked using MethodHandles. | ||||
| CVE-2021-41036 | 1 Eclipse | 1 Paho Mqtt C\/c\+\+ Client | 2024-08-04 | 9.8 Critical |
| In versions prior to 1.1 of the Eclipse Paho MQTT C Client, the client does not check rem_len size in readpacket. | ||||
| CVE-2021-41040 | 1 Eclipse | 1 Wakaama | 2024-08-04 | 7.5 High |
| In Eclipse Wakaama, ever since its inception until 2021-01-14, the CoAP parsing code does not properly sanitize network-received data. | ||||
| CVE-2021-41034 | 1 Eclipse | 1 Che | 2024-08-04 | 8.1 High |
| The build of some language stacks of Eclipse Che version 6 includes pulling some binaries from an unsecured HTTP endpoint. As a consequence the builds of such stacks are vulnerable to MITM attacks that allow the replacement of the original binaries with arbitrary ones. The stacks involved are Java 8 (alpine and centos), Android and PHP. The vulnerability is not exploitable at runtime but only when building Che. | ||||
| CVE-2021-41042 | 1 Eclipse | 1 Lyo | 2024-08-04 | 5.3 Medium |
| In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external DTD to be retrieved. | ||||
| CVE-2021-41039 | 1 Eclipse | 1 Mosquitto | 2024-08-04 | 7.5 High |
| In versions 1.6 to 2.0.11 of Eclipse Mosquitto, an MQTT v5 client connecting with a large number of user-property properties could cause excessive CPU usage, leading to a loss of performance and possible denial of service. | ||||
| CVE-2021-41035 | 2 Eclipse, Redhat | 3 Openj9, Enterprise Linux, Rhel Extras | 2024-08-04 | 9.8 Critical |
| In Eclipse Openj9 before version 0.29.0, the JVM does not throw IllegalAccessError for MethodHandles that invoke inaccessible interface methods. | ||||
| CVE-2021-41038 | 1 Eclipse | 1 Theia | 2024-08-04 | 6.1 Medium |
| In versions of the @theia/plugin-ext component of Eclipse Theia prior to 1.18.0, Webview contents can be hijacked via postMessage(). | ||||
| CVE-2021-41033 | 1 Eclipse | 1 Equinox | 2024-08-04 | 8.1 High |
| In all released versions of Eclipse Equinox, at least until version 4.21 (September 2021), installation can be vulnerable to man-in-the-middle attack if using p2 repos that are HTTP; that can then be exploited to serve incorrect p2 metadata and entirely alter the local installation, particularly by installing plug-ins that may then run malicious code. | ||||
| CVE-2021-41037 | 1 Eclipse | 1 Equinox P2 | 2024-08-04 | 10 Critical |
| In Eclipse p2, installable units are able to alter the Eclipse Platform installation and the local machine via touchpoints during installation. Those touchpoints can, for example, alter the command-line used to start the application, injecting things like agent or other settings that usually require particular attention in term of security. Although p2 has built-in strategies to ensure artifacts are signed and then to help establish trust, there is no such strategy for the metadata part that does configure such touchpoints. As a result, it's possible to install a unit that will run malicious code during installation without user receiving any warning about this installation step being risky when coming from untrusted source. | ||||
| CVE-2021-38441 | 1 Eclipse | 1 Cyclonedds | 2024-08-04 | 6.6 Medium |
| Eclipse CycloneDDS versions prior to 0.8.0 are vulnerable to a write-what-where condition, which may allow an attacker to write arbitrary values in the XML parser. | ||||
| CVE-2021-38443 | 1 Eclipse | 1 Cyclonedds | 2024-08-04 | 6.6 Medium |
| Eclipse CycloneDDS versions prior to 0.8.0 improperly handle invalid structures, which may allow an attacker to write arbitrary values in the XML parser. | ||||
| CVE-2021-34427 | 1 Eclipse | 1 Business Intelligence And Reporting Tools | 2024-08-04 | 9.8 Critical |
| In Eclipse BIRT versions 4.8.0 and earlier, an attacker can use query parameters to create a JSP file which is accessible from remote (current BIRT viewer dir) to inject JSP code into the running instance. | ||||
| CVE-2021-34431 | 1 Eclipse | 1 Mosquitto | 2024-08-04 | 6.5 Medium |
| In Eclipse Mosquitto version 1.6 to 2.0.10, if an authenticated client that had connected with MQTT v5 sent a crafted CONNECT message to the broker a memory leak would occur, which could be used to provide a DoS attack against the broker. | ||||
| CVE-2021-34433 | 1 Eclipse | 1 Californium | 2024-08-04 | 7.5 High |
| In Eclipse Californium version 2.0.0 to 2.6.4 and 3.0.0-M1 to 3.0.0-M3, the certificate based (x509 and RPK) DTLS handshakes accidentally succeeds without verifying the server side's signature on the client side, if that signature is not included in the server's ServerKeyExchange. | ||||