Filtered by vendor Eclipse
Subscriptions
Total
166 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-6194 | 1 Eclipse | 1 Memory Analyzer | 2024-08-02 | 2.8 Low |
| In Eclipse Memory Analyzer versions 0.7 to 1.14.0, report definition XML files are not filtered to prohibit document type definition (DTD) references to external entities. This means that if a user chooses to use a malicious report definition XML file containing an external entity reference to generate a report then Eclipse Memory Analyzer may access external files or URLs defined via a DTD in the report definition. | ||||
| CVE-2023-4760 | 1 Eclipse | 1 Remote Application Platform | 2024-08-02 | 7.6 High |
| In Eclipse RAP versions from 3.0.0 up to and including 3.25.0, Remote Code Execution is possible on Windows when using the FileUpload component. The reason for this is a not completely secure extraction of the file name in the FileUploadProcessor.stripFileName(String name) method. As soon as this finds a / in the path, everything before it is removed, but potentially \ (backslashes) coming further back are kept. For example, a file name such as /..\..\webapps\shell.war can be used to upload a file to a Tomcat server under Windows, which is then saved as ..\..\webapps\shell.war in its webapps directory and can then be executed. | ||||
| CVE-2023-3592 | 2 Eclipse, Redhat | 3 Mosquitto, Satellite, Satellite Capsule | 2024-08-02 | 5.8 Medium |
| In Mosquitto before 2.0.16, a memory leak occurs when clients send v5 CONNECT packets with a will message that contains invalid property types. | ||||
| CVE-2023-2597 | 1 Eclipse | 1 Openj9 | 2024-08-02 | 7 High |
| In Eclipse Openj9 before version 0.38.0, in the implementation of the shared cache (which is enabled by default in OpenJ9 builds) the size of a string is not properly checked against the size of the buffer. | ||||
| CVE-2023-0809 | 2 Eclipse, Redhat | 3 Mosquitto, Satellite, Satellite Capsule | 2024-08-02 | 5.8 Medium |
| In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets. | ||||
| CVE-2023-0100 | 1 Eclipse | 1 Business Intelligence And Reporting Tools | 2024-08-02 | 8.8 High |
| In Eclipse BIRT, starting from version 2.6.2, the default configuration allowed to retrieve a report from the same host using an absolute HTTP path for the report parameter (e.g. __report=http://xyz.com/report.rptdesign). If the host indicated in the __report parameter matched the HTTP Host header value, the report would be retrieved. However, the Host header can be tampered with on some configurations where no virtual hosts are put in place (e.g. in the default configuration of Apache Tomcat) or when the default host points to the BIRT server. This vulnerability was patched on Eclipse BIRT 4.13. | ||||