Filtered by vendor Eclipse
Subscriptions
Total
172 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2018-20227 | 1 Eclipse | 1 Rdf4j | 2024-11-21 | 7.5 High |
RDF4J 2.4.2 allows Directory Traversal via ../ in an entry in a ZIP archive. | ||||
CVE-2018-20145 | 1 Eclipse | 1 Mosquitto | 2024-11-21 | N/A |
Eclipse Mosquitto 1.5.x before 1.5.5 allows ACL bypass: if the option per_listener_settings was set to true, and the default listener was in use, and the default listener specified an acl_file, then the acl file was being ignored. | ||||
CVE-2018-14371 | 2 Eclipse, Redhat | 4 Mojarra, Jboss Enterprise Application Platform, Jboss Enterprise Application Platform Cd and 1 more | 2024-11-21 | N/A |
The getLocalePrefix function in ResourceManager.java in Eclipse Mojarra before 2.3.7 is affected by Directory Traversal via the loc parameter. A remote attacker can download configuration files or Java bytecodes from applications. | ||||
CVE-2018-12551 | 1 Eclipse | 1 Mosquitto | 2024-11-21 | N/A |
When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use a password file for authentication, any malformed data in the password file will be treated as valid. This typically means that the malformed data becomes a username and no password. If this occurs, clients can circumvent authentication and get access to the broker by using the malformed username. In particular, a blank line will be treated as a valid empty username. Other security measures are unaffected. Users who have only used the mosquitto_passwd utility to create and modify their password files are unaffected by this vulnerability. | ||||
CVE-2018-12550 | 1 Eclipse | 1 Mosquitto | 2024-11-21 | N/A |
When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use an ACL file, and that ACL file is empty, or contains only comments or blank lines, then Mosquitto will treat this as though no ACL file has been defined and use a default allow policy. The new behaviour is to have an empty ACL file mean that all access is denied, which is not a useful configuration but is not unexpected. | ||||
CVE-2018-12549 | 2 Eclipse, Redhat | 8 Openj9, Enterprise Linux, Enterprise Linux Desktop and 5 more | 2024-11-21 | N/A |
In Eclipse OpenJ9 version 0.11.0, the OpenJ9 JIT compiler may incorrectly omit a null check on the receiver object of an Unsafe call when accelerating it. | ||||
CVE-2018-12548 | 1 Eclipse | 1 Openj9 | 2024-11-21 | N/A |
In OpenJDK + Eclipse OpenJ9 version 0.11.0 builds, the public jdk.crypto.jniprovider.NativeCrypto class contains public static natives which accept pointer values that are dereferenced in the native code. | ||||
CVE-2018-12547 | 2 Eclipse, Redhat | 8 Openj9, Enterprise Linux, Enterprise Linux Desktop and 5 more | 2024-11-21 | N/A |
In Eclipse OpenJ9, prior to the 0.12.0 release, the jio_snprintf() and jio_vsnprintf() native methods ignored the length parameter. This affects existing APIs that called the functions to exceed the allocated buffer. This functions were not directly callable by non-native user code. | ||||
CVE-2018-12546 | 1 Eclipse | 1 Mosquitto | 2024-11-21 | 6.5 Medium |
In Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) when a client publishes a retained message to a topic, then has its access to that topic revoked, the retained message will still be published to clients that subscribe to that topic in the future. In some applications this may result in clients being able cause effects that would otherwise not be allowed. | ||||
CVE-2018-12545 | 2 Eclipse, Fedoraproject | 2 Jetty, Fedora | 2024-11-21 | 7.5 High |
In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings. | ||||
CVE-2018-12544 | 2 Eclipse, Redhat | 2 Vert.x, Openshift Application Runtimes | 2024-11-21 | N/A |
In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Eclipse Vert.x OpenAPI XML type validator to validate a provided schema. | ||||
CVE-2018-12543 | 1 Eclipse | 1 Mosquitto | 2024-11-21 | N/A |
In Eclipse Mosquitto versions 1.5 to 1.5.2 inclusive, if a message is published to Mosquitto that has a topic starting with $, but that is not $SYS, e.g. $test/test, then an assert is triggered that should otherwise not be reachable and Mosquitto will exit. | ||||
CVE-2018-12542 | 2 Eclipse, Microsoft | 2 Vert.x, Windows | 2024-11-21 | N/A |
In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the StaticHandler uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\' (forward slashes) sequences that can resolve to a location that is outside of that directory when running on Windows Operating Systems. | ||||
CVE-2018-12541 | 2 Eclipse, Redhat | 3 Vert.x, Jboss Fuse, Openshift Application Runtimes | 2024-11-21 | 6.5 Medium |
In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the WebSocket HTTP upgrade implementation buffers the full http request before doing the handshake, holding the entire request body in memory. There should be a reasonnable limit (8192 bytes) above which the WebSocket gets an HTTP response with the 413 status code and the connection gets closed. | ||||
CVE-2018-12540 | 2 Eclipse, Redhat | 2 Vert.x, Openshift Application Runtimes | 2024-11-21 | N/A |
In version from 3.0.0 to 3.5.2 of Eclipse Vert.x, the CSRFHandler do not assert that the XSRF Cookie matches the returned XSRF header/form parameter. This allows replay attacks with previously issued tokens which are not expired yet. | ||||
CVE-2018-12539 | 3 Eclipse, Oracle, Redhat | 4 Openj9, Enterprise Manager Base Platform, Network Satellite and 1 more | 2024-11-21 | N/A |
In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code. Attach API is enabled by default on Windows, Linux and AIX JVMs and can be disabled using the command line option -Dcom.ibm.tools.attach.enable=no. | ||||
CVE-2018-12538 | 2 Eclipse, Netapp | 12 Jetty, E-series Santricity Management Plug-ins, E-series Santricity Os Controller and 9 more | 2024-11-21 | N/A |
In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore. | ||||
CVE-2018-12537 | 2 Eclipse, Redhat | 3 Vert.x, Jboss Fuse, Openshift Application Runtimes | 2024-11-21 | N/A |
In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response. | ||||
CVE-2018-12536 | 3 Eclipse, Oracle, Redhat | 3 Jetty, Retail Xstore Point Of Service, Jboss Fuse | 2024-11-21 | 5.3 Medium |
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system. | ||||
CVE-2018-1000644 | 1 Eclipse | 1 Rdf4j | 2024-11-21 | N/A |
Eclipse RDF4j version < 2.4.0 Milestone 2 contains a XML External Entity (XXE) vulnerability in RDF4j XML parser parsing RDF files that can result in the disclosure of confidential data, denial of service, server side request forgery, port scanning. This attack appear to be exploitable via Specially crafted RDF file. |