VYPR

Vendor CVEs

Eclipse

All CVEs

209 total · sorted by risk
  • CVE-2021-42144Jan 24, 2024
    risk 0.00cvss epss 0.01

    Buffer over-read vulnerability in Contiki-NG tinyDTLS through master branch 53a0d97 allows attackers obtain sensitive information via crafted input to dtls_ccm_decrypt_message().

  • CVE-2021-42145Jan 24, 2024
    risk 0.00cvss epss 0.00

    An assertion failure discovered in in check_certificate_request() in Contiki-NG tinyDTLS through master branch 53a0d97 allows attackers to cause a denial of service.

  • CVE-2021-42146Jan 24, 2024
    risk 0.00cvss epss 0.01

    An issue was discovered in Contiki-NG tinyDTLS through master branch 53a0d97. DTLS servers allow remote attackers to reuse the same epoch number within two times the TCP maximum segment lifetime, which is prohibited in RFC6347. This vulnerability allows remote attackers to…

  • CVE-2021-42142Jan 23, 2024
    risk 0.00cvss epss 0.01

    An issue was discovered in Contiki-NG tinyDTLS through master branch 53a0d97. DTLS servers mishandle the early use of a large epoch number. This vulnerability allows remote attackers to cause a denial of service and false-positive packet drops.

  • CVE-2021-42141Jan 22, 2024
    risk 0.00cvss epss 0.01

    An issue was discovered in Contiki-NG tinyDTLS through 2018-08-30. One incorrect handshake could complete with different epoch numbers in the packets Client_Hello, Client_key_exchange, and Change_cipher_spec, which may cause denial of service.

  • CVE-2023-6194Dec 11, 2023
    risk 0.00cvss epss 0.00

    In Eclipse Memory Analyzer versions 0.7 to 1.14.0, report definition XML files are not filtered to prohibit document type definition (DTD) references to external entities. This means that if a user chooses to use a malicious report definition XML file containing an external…

  • CVE-2023-5632Oct 18, 2023
    risk 0.00cvss epss 0.01

    In Eclipse Mosquito before and including 2.0.5, establishing a connection to the mosquitto server without sending data causes the EPOLLOUT event to be added, which results excessive CPU consumption. This could be used by a malicious actor to perform denial of service type…

  • CVE-2023-3592Oct 2, 2023
    risk 0.00cvss epss 0.01

    In Mosquitto before 2.0.16, a memory leak occurs when clients send v5 CONNECT packets with a will message that contains invalid property types.

  • CVE-2023-0809Oct 2, 2023
    risk 0.00cvss epss 0.01

    In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets.

  • CVE-2023-4760Sep 21, 2023
    risk 0.00cvss epss 0.01

    In Eclipse RAP versions from 3.0.0 up to and including 3.25.0, Remote Code Execution is possible on Windows when using the FileUpload component. The reason for this is a not completely secure extraction of the file name in the FileUploadProcessor.stripFileName(String name)…

  • CVE-2023-28366Sep 1, 2023
    risk 0.00cvss epss 0.01

    The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN from the libc…

  • CVE-2023-2597May 22, 2023
    risk 0.00cvss epss 0.00

    In Eclipse Openj9 before version 0.38.0, in the implementation of the shared cache (which is enabled by default in OpenJ9 builds) the size of a string is not properly checked against the size of the buffer.

  • CVE-2022-2712Jan 27, 2023
    risk 0.00cvss epss 0.01

    In Eclipse GlassFish versions 5.1.0 to 6.2.5, there is a vulnerability in relative path traversal because it does not filter request path starting with './'. Successful exploitation could allow an remote unauthenticated attacker to access critical data, such as configuration…

  • CVE-2022-36022Nov 10, 2022
    risk 0.00cvss epss 0.00

    Deeplearning4J is a suite of tools for deploying and training deep learning models using the JVM. Packages org.deeplearning4j:dl4j-examples and org.deeplearning4j:platform-tests through version 1.0.0-M2.1 may use some unclaimed S3 buckets in tests in examples. This is likely…

  • CVE-2022-39368Nov 9, 2022
    risk 0.00cvss epss 0.01

    Eclipse Californium is a Java implementation of RFC7252 - Constrained Application Protocol for IoT Cloud services. In versions prior to 3.7.0, and 2.7.4, Californium is vulnerable to a Denial of Service. Failing handshakes don't cleanup counters for throttling, causing the…

  • CVE-2022-3676Oct 24, 2022
    risk 0.00cvss epss 0.01

    In Eclipse Openj9 before version 0.35.0, interface calls can be inlined without a runtime type check. Malicious bytecode could make use of this inlining to access or modify memory via an incompatible type.

  • CVE-2022-25370Sep 2, 2022
    risk 0.00cvss epss 0.02

    Apache OFBiz uses the Birt plugin (https://eclipse.github.io/birt-website/) to create data visualizations and reports. In Apache OFBiz release 18.12.05, and earlier versions, by leveraging a vulnerability in Birt (https://bugs.eclipse.org/bugs/show_bug.cgi?id=538142), an…

  • CVE-2022-2838Aug 16, 2022
    risk 0.00cvss epss 0.00

    In Eclipse Sphinx™ before version 0.13.1, Apache Xerces XML Parser was used without disabling processing of referenced external entities allowing the injection of arbitrary definitions which is able to access local files and expose their contents via HTTP requests.

  • CVE-2022-2576Jul 29, 2022
    risk 0.00cvss epss 0.01

    In Eclipse Californium version 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS resumption handshake falls back to a DTLS full handshake on a parameter mismatch without using a HelloVerifyRequest. Especially, if used with certificate based cipher suites, that results in message…

  • CVE-2021-41037Jul 8, 2022
    risk 0.00cvss epss 0.01

    In Eclipse p2, installable units are able to alter the Eclipse Platform installation and the local machine via touchpoints during installation. Those touchpoints can, for example, alter the command-line used to start the application, injecting things like agent or other settings…

  • CVE-2022-2191Jul 7, 2022
    risk 0.00cvss epss 0.02

    In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths.

  • CVE-2022-2047Jul 7, 2022
    risk 0.00cvss epss 0.01

    In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy…

  • CVE-2022-2048Jul 7, 2022
    risk 0.00cvss epss 0.02

    In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no…

  • CVE-2021-38443May 5, 2022
    risk 0.00cvss epss 0.02

    Eclipse CycloneDDS versions prior to 0.8.0 improperly handle invalid structures, which may allow an attacker to write arbitrary values in the XML parser.

  • CVE-2021-38441May 5, 2022
    risk 0.00cvss epss 0.02

    Eclipse CycloneDDS versions prior to 0.8.0 are vulnerable to a write-what-where condition, which may allow an attacker to write arbitrary values in the XML parser.

  • CVE-2021-41041Apr 27, 2022
    risk 0.00cvss epss 0.01

    In Eclipse Openj9 before version 0.32.0, Java 8 & 11 fail to throw the exception captured during bytecode verification when verification is triggered by a MethodHandle invocation, allowing unverified methods to be invoked using MethodHandles.

  • CVE-2021-41040Feb 1, 2022
    risk 0.00cvss epss 0.01

    In Eclipse Wakaama, ever since its inception until 2021-01-14, the CoAP parsing code does not properly sanitize network-received data.

  • CVE-2021-41039Dec 1, 2021
    risk 0.00cvss epss 0.01

    In versions 1.6 to 2.0.11 of Eclipse Mosquitto, an MQTT v5 client connecting with a large number of user-property properties could cause excessive CPU usage, leading to a loss of performance and possible denial of service.

  • CVE-2021-41038Nov 10, 2021
    risk 0.00cvss epss 0.01

    In versions of the @theia/plugin-ext component of Eclipse Theia prior to 1.18.0, Webview contents can be hijacked via postMessage().

  • CVE-2021-41036Nov 2, 2021
    risk 0.00cvss epss 0.01

    In versions prior to 1.1 of the Eclipse Paho MQTT C Client, the client does not check rem_len size in readpacket.

  • CVE-2021-41035Oct 25, 2021
    risk 0.00cvss epss 0.02

    In Eclipse Openj9 before version 0.29.0, the JVM does not throw IllegalAccessError for MethodHandles that invoke inaccessible interface methods.

  • CVE-2021-41034Sep 29, 2021
    risk 0.00cvss epss 0.00

    The build of some language stacks of Eclipse Che version 6 includes pulling some binaries from an unsecured HTTP endpoint. As a consequence the builds of such stacks are vulnerable to MITM attacks that allow the replacement of the original binaries with arbitrary ones. The…

  • CVE-2021-41033Sep 13, 2021
    risk 0.00cvss epss 0.01

    In all released versions of Eclipse Equinox, at least until version 4.21 (September 2021), installation can be vulnerable to man-in-the-middle attack if using p2 repos that are HTTP; that can then be exploited to serve incorrect p2 metadata and entirely alter the local…

  • CVE-2021-32835Sep 9, 2021
    risk 0.00cvss epss 0.04

    Eclipse Keti is a service that was designed to protect RESTfuls API using Attribute Based Access Control (ABAC). In Keti a sandbox escape vulnerability may lead to post-authentication Remote Code execution. This vulnerability is known to exist in the latest commit at the time of…

  • CVE-2021-32834Sep 9, 2021
    risk 0.00cvss epss 0.01

    Eclipse Keti is a service that was designed to protect RESTfuls API using Attribute Based Access Control (ABAC). In Keti a user able to create Policy Sets can run arbitrary code by sending malicious Groovy scripts which will escape the configured Groovy sandbox. This…

  • CVE-2021-34436Sep 2, 2021
    risk 0.00cvss epss 0.02

    In Eclipse Theia 0.1.1 to 0.2.0, it is possible to exploit the default build to obtain remote code execution (and XXE) via the theia-xml-extension. This extension uses lsp4xml (recently renamed to LemMinX) in order to provide language support for XML. This is installed by…

  • CVE-2021-34435Sep 1, 2021
    risk 0.00cvss epss 0.01

    In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension allows a user to preview HTML files in an iframe inside the IDE. But with the way it is made it is possible for a previewed HTML file to trigger an RCE. This exploit only happens if a user previews a malicious file..

  • CVE-2021-34434Aug 30, 2021
    risk 0.00cvss epss 0.01

    In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then existing subscriptions for that client are not revoked.

  • CVE-2020-18735Aug 23, 2021
    risk 0.00cvss epss 0.02

    A heap buffer overflow in /src/dds_stream.c of Eclipse IOT Cyclone DDS Project v0.1.0 causes the DDS subscriber server to crash.

  • CVE-2020-18734Aug 23, 2021
    risk 0.00cvss epss 0.02

    A stack buffer overflow in /ddsi/q_bitset.h of Eclipse IOT Cyclone DDS Project v0.1.0 causes the DDS subscriber server to crash.

  • CVE-2021-34433Aug 20, 2021
    risk 0.00cvss epss 0.00

    In Eclipse Californium version 2.0.0 to 2.6.4 and 3.0.0-M1 to 3.0.0-M3, the certificate based (x509 and RPK) DTLS handshakes accidentally succeeds without verifying the server side's signature on the client side, if that signature is not included in the server's…

  • CVE-2021-34432Jul 27, 2021
    risk 0.00cvss epss 0.01

    In Eclipse Mosquitto versions 2.07 and earlier, the server will crash if the client tries to send a PUBLISH packet with topic length = 0.

  • CVE-2021-34431Jul 22, 2021
    risk 0.00cvss epss 0.01

    In Eclipse Mosquitto version 1.6 to 2.0.10, if an authenticated client that had connected with MQTT v5 sent a crafted CONNECT message to the broker a memory leak would occur, which could be used to provide a DoS attack against the broker.

  • CVE-2021-34430Jul 8, 2021
    risk 0.00cvss epss 0.01

    Eclipse TinyDTLS through 0.9-rc1 relies on the rand function in the C library, which makes it easier for remote attackers to compute the master key and then decrypt DTLS traffic.

  • CVE-2021-34428Jun 22, 2021
    risk 0.00cvss epss 0.01

    For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can…

  • CVE-2021-28170May 26, 2021
    risk 0.00cvss epss 0.02

    In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.

  • CVE-2021-28168Apr 22, 2021
    risk 0.00cvss epss 0.01

    Eclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the…

  • CVE-2021-28167Apr 21, 2021
    risk 0.00cvss epss 0.01

    In Eclipse Openj9 to version 0.25.0, usage of the jdk.internal.reflect.ConstantPool API causes the JVM in some cases to pre-resolve certain constant pool entries. This allows a user to call static methods or access static members without running the class initialization method,…

  • CVE-2021-28166Apr 7, 2021
    risk 0.00cvss epss 0.01

    In Eclipse Mosquitto version 2.0.0 to 2.0.9, if an authenticated client that had connected with MQTT v5 sent a crafted CONNACK message to the broker, a NULL pointer dereference would occur.

  • CVE-2021-28163Apr 1, 2021
    risk 0.00cvss epss 0.04

    In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that…