Filtered by vendor Eclipse
Subscribe
Total
162 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-11771 | 1 Eclipse | 1 Openj9 | 2023-03-24 | 4.6 MEDIUM | 7.8 HIGH |
| AIX builds of Eclipse OpenJ9 before 0.15.0 contain unused RPATHs which may facilitate code injection and privilege elevation by local users. | |||||
| CVE-2019-11770 | 1 Eclipse | 1 Buildship | 2023-03-24 | 6.8 MEDIUM | 8.1 HIGH |
| In Eclipse Buildship versions prior to 3.1.1, the build files indicate that this project is resolving dependencies over HTTP instead of HTTPS. Any of these artifacts could have been MITM to maliciously compromise them and infect the build artifacts that were produced. Additionally, if any of these JARs or other dependencies were compromised, any developers using these could continue to be infected past updating to fix this. | |||||
| CVE-2023-0100 | 1 Eclipse | 1 Business Intelligence And Reporting Tools | 2023-03-22 | N/A | 8.8 HIGH |
| In Eclipse BIRT, starting from version 2.6.2, the default configuration allowed to retrieve a report from the same host using an absolute HTTP path for the report parameter (e.g. __report=http://xyz.com/report.rptdesign). If the host indicated in the __report parameter matched the HTTP Host header value, the report would be retrieved. However, the Host header can be tampered with on some configurations where no virtual hosts are put in place (e.g. in the default configuration of Apache Tomcat) or when the default host points to the BIRT server. This vulnerability was patched on Eclipse BIRT 4.13. | |||||
| CVE-2023-24815 | 1 Eclipse | 1 Vert.x-web | 2023-02-17 | N/A | 5.3 MEDIUM |
| Vert.x-Web is a set of building blocks for building web applications in the java programming language. When running vertx web applications that serve files using `StaticHandler` on Windows Operating Systems and Windows File Systems, if the mount point is a wildcard (`*`) then an attacker can exfiltrate any class path resource. When computing the relative path to locate the resource, in case of wildcards, the code: `return "/" + rest;` from `Utils.java` returns the user input (without validation) as the segment to lookup. Even though checks are performed to avoid escaping the sandbox, given that the input was not sanitized `\` are not properly handled and an attacker can build a path that is valid within the classpath. This issue only affects users deploying in windows environments and upgrading is the advised remediation path. There are no known workarounds for this vulnerability. | |||||
| CVE-2010-4647 | 1 Eclipse | 1 Eclipse Ide | 2023-02-13 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the Help Contents web application (aka the Help Server) in Eclipse IDE before 3.6.2 allow remote attackers to inject arbitrary web script or HTML via the query string to (1) help/index.jsp or (2) help/advanced/content.jsp. | |||||
| CVE-2021-34427 | 1 Eclipse | 1 Business Intelligence And Reporting Tools | 2023-02-11 | 7.5 HIGH | 9.8 CRITICAL |
| In Eclipse BIRT versions 4.8.0 and earlier, an attacker can use query parameters to create a JSP file which is accessible from remote (current BIRT viewer dir) to inject JSP code into the running instance. | |||||
| CVE-2019-17637 | 2 Debian, Eclipse | 2 Debian Linux, Web Tools Platform | 2023-01-27 | 5.8 MEDIUM | 7.1 HIGH |
| In all versions of Eclipse Web Tools Platform through release 3.18 (2020-06), XML and DTD files referring to external entities could be exploited to send the contents of local files to a remote server when edited or validated, even when external entity resolution is disabled in the user preferences. | |||||
| CVE-2022-39368 | 1 Eclipse | 1 Californium | 2022-11-17 | N/A | 8.2 HIGH |
| Eclipse Californium is a Java implementation of RFC7252 - Constrained Application Protocol for IoT Cloud services. In versions prior to 3.7.0, and 2.7.4, Californium is vulnerable to a Denial of Service. Failing handshakes don't cleanup counters for throttling, causing the threshold to be reached without being released again. This results in permanently dropping records. The issue was reported for certificate based handshakes, but may also affect PSK based handshakes. It generally affects client and server as well. This issue is patched in version 3.7.0 and 2.7.4. There are no known workarounds. main: commit 726bac57659410da463dcf404b3e79a7312ac0b9 2.7.x: commit 5648a0c27c2c2667c98419254557a14bac2b1f3f | |||||
| CVE-2022-36022 | 1 Eclipse | 1 Deeplearning4j | 2022-11-15 | N/A | 5.3 MEDIUM |
| Deeplearning4J is a suite of tools for deploying and training deep learning models using the JVM. Packages org.deeplearning4j:dl4j-examples and org.deeplearning4j:platform-tests through version 1.0.0-M2.1 may use some unclaimed S3 buckets in tests in examples. This is likely affect people who use some older NLP examples that reference an old S3 bucket. The problem has been patched. Users should upgrade to snapshots as Deeplearning4J plan to publish a release with the fix at a later date. As a workaround, download a word2vec google news vector from a new source using git lfs from here. | |||||
| CVE-2021-34435 | 1 Eclipse | 1 Theia | 2022-10-27 | 6.8 MEDIUM | 8.8 HIGH |
| In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension allows a user to preview HTML files in an iframe inside the IDE. But with the way it is made it is possible for a previewed HTML file to trigger an RCE. This exploit only happens if a user previews a malicious file.. | |||||
| CVE-2022-2047 | 3 Debian, Eclipse, Netapp | 7 Debian Linux, Jetty, Element Plug-in For Vcenter Server and 4 more | 2022-10-25 | 4.0 MEDIUM | 2.7 LOW |
| In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario. | |||||
| CVE-2022-3676 | 1 Eclipse | 1 Openj9 | 2022-10-25 | N/A | 6.5 MEDIUM |
| In Eclipse Openj9 before version 0.35.0, interface calls can be inlined without a runtime type check. Malicious bytecode could make use of this inlining to access or modify memory via an incompatible type. | |||||
| CVE-2022-2191 | 1 Eclipse | 1 Jetty | 2022-09-23 | 5.0 MEDIUM | 7.5 HIGH |
| In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths. | |||||
| CVE-2022-25897 | 1 Eclipse | 1 Milo | 2022-09-13 | N/A | 7.5 HIGH |
| The package org.eclipse.milo:sdk-server before 0.6.8 are vulnerable to Denial of Service (DoS) when bypassing the limitations for excessive memory consumption by sending multiple CloseSession requests with the deleteSubscription parameter equal to False. | |||||
| CVE-2022-2576 | 1 Eclipse | 1 Californium | 2022-08-05 | N/A | 7.5 HIGH |
| In Eclipse Californium version 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS resumption handshake falls back to a DTLS full handshake on a parameter mismatch without using a HelloVerifyRequest. Especially, if used with certificate based cipher suites, that results in message amplification (DDoS other peers) and high CPU load (DoS own peer). The misbehavior occurs only with DTLS_VERIFY_PEERS_ON_RESUMPTION_THRESHOLD values larger than 0. | |||||
| CVE-2015-8031 | 1 Eclipse | 1 Hudson | 2022-07-27 | N/A | 9.8 CRITICAL |
| Hudson (aka org.jvnet.hudson.main:hudson-core) before 3.3.2 allows XXE attacks. | |||||
| CVE-2021-38443 | 1 Eclipse | 1 Cyclonedds | 2022-05-13 | 7.5 HIGH | 9.8 CRITICAL |
| Eclipse CycloneDDS versions prior to 0.8.0 improperly handle invalid structures, which may allow an attacker to write arbitrary values in the XML parser. | |||||
| CVE-2021-38441 | 1 Eclipse | 1 Cyclonedds | 2022-05-13 | 7.5 HIGH | 9.8 CRITICAL |
| Eclipse CycloneDDS versions prior to 0.8.0 are vulnerable to a write-what-where condition, which may allow an attacker to write arbitrary values in the XML parser. | |||||
| CVE-2020-6950 | 2 Eclipse, Oracle | 9 Mojarra, Banking Enterprise Default Management, Banking Platform and 6 more | 2022-05-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| Directory traversal in Eclipse Mojarra before 2.3.14 allows attackers to read arbitrary files via the loc parameter or con parameter. | |||||
| CVE-2021-41041 | 2 Eclipse, Oracle | 2 Openj9, Java Se | 2022-05-05 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Eclipse Openj9 before version 0.32.0, Java 8 & 11 fail to throw the exception captured during bytecode verification when verification is triggered by a MethodHandle invocation, allowing unverified methods to be invoked using MethodHandles. | |||||