CVE-2021-41037
Description
In Eclipse p2, installable units are able to alter the Eclipse Platform installation and the local machine via touchpoints during installation. Those touchpoints can, for example, alter the command-line used to start the application, injecting things like agent or other settings that usually require particular attention in term of security. Although p2 has built-in strategies to ensure artifacts are signed and then to help establish trust, there is no such strategy for the metadata part that does configure such touchpoints. As a result, it's possible to install a unit that will run malicious code during installation without user receiving any warning about this installation step being risky when coming from untrusted source.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Eclipse p2 installable-unit metadata can execute arbitrary touchpoint commands without user warning, enabling silent malicious code injection during installation.
Vulnerability
Eclipse p2, the provisioning system used by Eclipse Platform and related products, trusts installable-unit (IU) metadata to configure installation touchpoints, even when the IU contains no artifacts. Touchpoints can run local commands, alter the command line used to start the IDE (e.g., switching the JVM or adding Java agents), or modify other system settings. Unlike artifact handling, p2 has no signing or trust mechanism for metadata, so any metadata-only IU can specify arbitrary touchpoint actions. The bug affects all versions of Eclipse p2 prior to a fix being applied (no official fixed version is listed in the available references)[1][2].
Exploitation
An attacker provides a p2 repository (or modifies an existing one) containing an installable unit that consists only of metadata with malicious touchpoint definitions. The attacker must induce a victim—typically an Eclipse user—to install that unit using Eclipse's standard p2 installer, e.g., via a software site or a direct update operation. No authentication is required beyond what the installer normally performs; the installation proceeds without any additional warning about metadata trust because p2 only warns about unsigned artifacts, not unsigned metadata. The user simply clicks "Install" or "Apply Changes" on what appears to be a normal update[1][2].
Impact
Successful exploitation allows the attacker to execute arbitrary commands with the privileges of the user running the Eclipse IDE. This can lead to full compromise of the local machine—installing malware, modifying startup scripts, exfiltrating data, or pivoting to other systems. The attack achieves code execution during the installation phase, before the IDE is even restarted, and no user interaction beyond the initial install is required[1][2].
Mitigation
As of the publication date (2022-07-08), no official fix has been released for Eclipse p2. The long-term solution proposed by the Eclipse community is to implement metadata signing and verification analogous to the existing artifact signing, but this has not yet been implemented[1][2]. In the meantime, users should only install p2 IUs from trusted repositories and verify the integrity of repositories manually. The CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: 1.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/eclipse-equinox/p2/issues/235mitrepatch
- bugs.eclipse.org/bugs/show_bug.cgimitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.