Vendor CVEs
Eclipse
All CVEs
209 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-28162 | 0.00 | — | 0.01 | Mar 12, 2021 | In Eclipse Theia versions up to and including 0.16.0, in the notification messages there is no HTML escaping, so Javascript code can run. | |||
| CVE-2021-28161 | 0.00 | — | 0.01 | Mar 12, 2021 | In Eclipse Theia versions up to and including 1.8.0, in the debug console there is no HTML escaping, so arbitrary Javascript code can be injected. | |||
| CVE-2020-27225 | 0.00 | — | 0.00 | Mar 9, 2021 | In versions 4.18 and earlier of the Eclipse Platform, the Help Subsystem does not authenticate active help requests to the local help web server, allowing an unauthenticated local attacker to issue active help commands to the associated Eclipse Platform process or Eclipse Rich… | |||
| CVE-2020-27224 | 0.00 | — | 0.02 | Feb 24, 2021 | In Eclipse Theia versions up to and including 1.2.0, the Markdown Preview (@theia/preview), can be exploited to execute arbitrary code. | |||
| CVE-2020-27222 | 0.00 | — | 0.01 | Feb 3, 2021 | In Eclipse Californium version 2.3.0 to 2.6.0, the certificate based (x509 and RPK) DTLS handshakes accidentally fails, because the DTLS server side sticks to a wrong internal state. That wrong internal state is set by a previous certificate based DTLS handshake failure with TLS… | |||
| CVE-2020-27221 | 0.00 | — | 0.02 | Jan 21, 2021 | In Eclipse OpenJ9 up to and including version 0.23, there is potential for a stack-based buffer overflow when the virtual machine or JNI natives are converting from UTF-8 characters to platform encoding. | |||
| CVE-2020-14368 | 0.00 | — | 0.01 | Dec 14, 2020 | A flaw was found in Eclipse Che in versions prior to 7.14.0 that impacts CodeReady Workspaces. When configured with cookies authentication, Theia IDE doesn't properly set the SameSite value, allowing a Cross-Site Request Forgery (CSRF) and consequently allowing a cross-site… | |||
| CVE-2020-27218 | 0.00 | — | 0.08 | Nov 28, 2020 | In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request… | |||
| CVE-2020-27216 | 0.00 | — | 0.04 | Oct 23, 2020 | In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a… | |||
| CVE-2019-17639 | 0.00 | — | 0.01 | Jul 15, 2020 | In Eclipse OpenJ9 prior to version 0.21 on Power platforms, calling the System.arraycopy method with a length longer than the length of the source or destination array can, in certain specially crafted code patterns, cause the current method to return prematurely with an… | |||
| CVE-2019-17637 | 0.00 | — | 0.01 | Jul 15, 2020 | In all versions of Eclipse Web Tools Platform through release 3.18 (2020-06), XML and DTD files referring to external entities could be exploited to send the contents of local files to a remote server when edited or validated, even when external entity resolution is disabled in… | |||
| CVE-2019-17638 | 0.00 | — | 0.11 | Jul 9, 2020 | In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice.… | |||
| CVE-2020-9040 | 0.00 | — | 0.01 | Jun 8, 2020 | Couchbase Server Java SDK before 2.7.1.1 allows a potential attacker to forge an SSL certificate and pose as the intended peer. An attacker can leverage this flaw by crafting a cryptographically valid certificate that will be accepted by Java SDK's Netty component due to missing… | |||
| CVE-2020-10689 | 0.00 | — | 0.01 | Apr 3, 2020 | A flaw was found in the Eclipse Che up to version 7.8.x, where it did not properly restrict access to workspace pods. An authenticated user can exploit this flaw to bypass JWT proxy and gain access to the workspace pods of another user. Successful exploitation requires knowledge… | |||
| CVE-2019-17636 | 0.00 | — | 0.01 | Mar 10, 2020 | In Eclipse Theia versions 0.3.9 through 0.15.0, one of the default pre-packaged Theia extensions is "Mini-Browser", published as "@theia/mini-browser" on npmjs.com. This extension, for its own needs, exposes a HTTP endpoint that allows to read the content of files on the host's… | |||
| CVE-2019-17634 | 0.00 | — | 0.02 | Jan 17, 2020 | Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a cross site scripting (XSS) vulnerability when generating an HTML report from a malicious heap dump. The user must chose todownload, open the malicious heap dump and generate an HTML report for the problem to… | |||
| CVE-2019-17635 | 0.00 | — | 0.01 | Jan 17, 2020 | Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a deserialization vulnerability if an index file of a parsed heap dump is replaced by a malicious version and the heap dump is reopened in Memory Analyzer. The user must chose to reopen an already parsed heap dump… | |||
| CVE-2019-17633 | 0.00 | — | 0.01 | Dec 19, 2019 | For Eclipse Che versions 6.16 to 7.3.0, with both authentication and TLS disabled, visiting a malicious web site could trigger the start of an arbitrary Che workspace. Che with no authentication and no TLS is not usually deployed on a public network but is often used for local… | |||
| CVE-2019-17632 | 0.00 | — | 0.02 | Nov 25, 2019 | In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118, the generation of default unhandled Error response content (in text/html and text/json Content-Type) does not escape Exception messages in stacktraces included in error output. | |||
| CVE-2009-5046 | 0.00 | — | 0.02 | Nov 6, 2019 | JSP Dump and Session Dump Servlet XSS in jetty before 6.1.22. | |||
| CVE-2009-5045 | 0.00 | — | 0.02 | Nov 6, 2019 | Dump Servlet information leak in jetty before 6.1.22. | |||
| CVE-2009-5049 | 0.00 | — | 0.02 | Nov 6, 2019 | WebApp JSP Snoop page XSS in jetty though 6.1.21. | |||
| CVE-2019-17631 | 0.00 | — | 0.02 | Oct 17, 2019 | From Eclipse OpenJ9 0.15 to 0.16, access to diagnostic operations such as causing a GC or creating a diagnostic file are permitted without any privilege checks. | |||
| CVE-2019-11778 | 0.00 | — | 0.01 | Sep 18, 2019 | If an MQTT v5 client connects to Eclipse Mosquitto versions 1.6.0 to 1.6.4 inclusive, sets a last will and testament, sets a will delay interval, sets a session expiry interval, and the will delay interval is set longer than the session expiry interval, then a use after free… | |||
| CVE-2019-11773 | 0.00 | — | 0.00 | Sep 12, 2019 | Prior to 0.1, AIX builds of Eclipse OMR contain unused RPATHs which may facilitate code injection and privilege elevation by local users. | |||
| CVE-2019-11774 | 0.00 | — | 0.01 | Sep 12, 2019 | Prior to 0.1, all builds of Eclipse OMR contain a bug where the loop versioner may fail to privatize a value that is pulled out of the loop by versioning - for example if there is a condition that is moved out of the loop that reads a field we may not privatize the value of that… | |||
| CVE-2019-11776 | 0.00 | — | 0.01 | Aug 9, 2019 | In Eclipse BIRT versions 1.0 to 4.7, the Report Viewer allows Reflected XSS in URL parameter. Attacker can execute the payload in victim's browser context. | |||
| CVE-2019-11775 | 0.00 | — | 0.01 | Jul 30, 2019 | All builds of Eclipse OpenJ9 prior to 0.15 contain a bug where the loop versioner may fail to privatize a value that is pulled out of the loop by versioning - for example if there is a condition that is moved out of the loop that reads a field we may not privatize the value of… | |||
| CVE-2019-11772 | 0.00 | — | 0.02 | Jul 17, 2019 | In Eclipse OpenJ9 prior to 0.15, the String.getBytes(int, int, byte[], int) method does not verify that the provided byte array is non-null nor that the provided index is in bounds when compiled by the JIT. This allows arbitrary writes to any 32-bit address or beyond the end of… | |||
| CVE-2019-11771 | 0.00 | — | 0.00 | Jul 17, 2019 | AIX builds of Eclipse OpenJ9 before 0.15.0 contain unused RPATHs which may facilitate code injection and privilege elevation by local users. | |||
| CVE-2019-11770 | 0.00 | — | 0.01 | Jun 14, 2019 | In Eclipse Buildship versions prior to 3.1.1, the build files indicate that this project is resolving dependencies over HTTP instead of HTTPS. Any of these artifacts could have been MITM to maliciously compromise them and infect the build artifacts that were produced.… | |||
| CVE-2019-10246 | 0.00 | — | 0.04 | Apr 22, 2019 | In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information… | |||
| CVE-2019-10247 | 0.00 | — | 0.06 | Apr 22, 2019 | In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a… | |||
| CVE-2019-10245 | 0.00 | — | 0.02 | Apr 19, 2019 | In Eclipse OpenJ9 prior to the 0.14.0 release, the Java bytecode verifier incorrectly allows a method to execute past the end of bytecode array causing crashes. Eclipse OpenJ9 v0.14.0 correctly detects this case and rejects the attempted class load. | |||
| CVE-2019-10242 | 0.00 | — | 0.02 | Apr 9, 2019 | In Eclipse Kura versions up to 4.0.0, the SkinServlet did not checked the path passed during servlet call, potentially allowing path traversal in get requests for a limited number of file types. | |||
| CVE-2019-10244 | 0.00 | — | 0.02 | Apr 9, 2019 | In Eclipse Kura versions up to 4.0.0, the Web UI package and component services, the Artemis simple Mqtt component and the emulator position service (not part of the device distribution) could potentially be target of XXE attack due to an improper factory and parser… | |||
| CVE-2019-10243 | 0.00 | — | 0.01 | Apr 9, 2019 | In Eclipse Kura versions up to 4.0.0, Kura exposes the underlying Ui Web server version in its replies. This can be used as a hint by an attacker to specifically craft attacks to the web server run by Kura. | |||
| CVE-2018-12545 | 0.00 | — | 0.05 | Mar 27, 2019 | In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory… | |||
| CVE-2017-7655 | 0.00 | — | 0.02 | Mar 27, 2019 | In Eclipse Mosquitto version from 1.0 to 1.4.15, a Null Dereference vulnerability was found in the Mosquitto library which could lead to crashes for those applications using the library. | |||
| CVE-2018-12551 | 0.00 | — | 0.01 | Mar 27, 2019 | When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use a password file for authentication, any malformed data in the password file will be treated as valid. This typically means that the malformed data becomes a username and no password. If this occurs,… | |||
| CVE-2018-12550 | 0.00 | — | 0.01 | Mar 27, 2019 | When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use an ACL file, and that ACL file is empty, or contains only comments or blank lines, then Mosquitto will treat this as though no ACL file has been defined and use a default allow policy. The new behaviour… | |||
| CVE-2018-12546 | 0.00 | — | 0.01 | Mar 27, 2019 | In Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) when a client publishes a retained message to a topic, then has its access to that topic revoked, the retained message will still be published to clients that subscribe to that topic in the future. In some applications this… | |||
| CVE-2019-9004 | 0.00 | — | 0.02 | Feb 22, 2019 | In Eclipse Wakaama (formerly liblwm2m) 1.0, core/er-coap-13/er-coap-13.c in lwm2mserver in the LWM2M server mishandles invalid options, leading to a memory leak. Processing of a single crafted packet leads to leaking (wasting) 24 bytes of memory. This can lead to termination of… | |||
| CVE-2018-12549 | 0.00 | — | 0.02 | Feb 11, 2019 | In Eclipse OpenJ9 version 0.11.0, the OpenJ9 JIT compiler may incorrectly omit a null check on the receiver object of an Unsafe call when accelerating it. | |||
| CVE-2018-12547 | 0.00 | — | 0.03 | Feb 11, 2019 | In Eclipse OpenJ9, prior to the 0.12.0 release, the jio_snprintf() and jio_vsnprintf() native methods ignored the length parameter. This affects existing APIs that called the functions to exceed the allocated buffer. This functions were not directly callable by non-native user… | |||
| CVE-2018-12548 | 0.00 | — | 0.01 | Jan 31, 2019 | In OpenJDK + Eclipse OpenJ9 version 0.11.0 builds, the public jdk.crypto.jniprovider.NativeCrypto class contains public static natives which accept pointer values that are dereferenced in the native code. | |||
| CVE-2018-20145 | 0.00 | — | 0.02 | Dec 13, 2018 | Eclipse Mosquitto 1.5.x before 1.5.5 allows ACL bypass: if the option per_listener_settings was set to true, and the default listener was in use, and the default listener specified an acl_file, then the acl file was being ignored. | |||
| CVE-2018-12543 | 0.00 | — | 0.36 | Nov 15, 2018 | In Eclipse Mosquitto versions 1.5 to 1.5.2 inclusive, if a message is published to Mosquitto that has a topic starting with $, but that is not $SYS, e.g. $test/test, then an assert is triggered that should otherwise not be reachable and Mosquitto will exit. | |||
| CVE-2009-4609 | 0.00 | — | 0.02 | Jan 13, 2010 | The Dump Servlet in Mort Bay Jetty 6.x and 7.0.0 allows remote attackers to obtain sensitive information about internal variables and other data via a request to a URI ending in /dump/, as demonstrated by discovering the value of the getPathTranslated variable. | |||
| CVE-2009-3579 | 0.00 | — | 0.01 | Oct 7, 2009 | Cross-site scripting (XSS) vulnerability in the CookieDump.java sample application in Mort Bay Jetty 6.1.19 and 6.1.20 allows remote attackers to inject arbitrary web script or HTML via the Value parameter in a GET request to cookie/. |
- CVE-2021-28162Mar 12, 2021risk 0.00cvss —epss 0.01
In Eclipse Theia versions up to and including 0.16.0, in the notification messages there is no HTML escaping, so Javascript code can run.
- CVE-2021-28161Mar 12, 2021risk 0.00cvss —epss 0.01
In Eclipse Theia versions up to and including 1.8.0, in the debug console there is no HTML escaping, so arbitrary Javascript code can be injected.
- CVE-2020-27225Mar 9, 2021risk 0.00cvss —epss 0.00
In versions 4.18 and earlier of the Eclipse Platform, the Help Subsystem does not authenticate active help requests to the local help web server, allowing an unauthenticated local attacker to issue active help commands to the associated Eclipse Platform process or Eclipse Rich…
- CVE-2020-27224Feb 24, 2021risk 0.00cvss —epss 0.02
In Eclipse Theia versions up to and including 1.2.0, the Markdown Preview (@theia/preview), can be exploited to execute arbitrary code.
- CVE-2020-27222Feb 3, 2021risk 0.00cvss —epss 0.01
In Eclipse Californium version 2.3.0 to 2.6.0, the certificate based (x509 and RPK) DTLS handshakes accidentally fails, because the DTLS server side sticks to a wrong internal state. That wrong internal state is set by a previous certificate based DTLS handshake failure with TLS…
- CVE-2020-27221Jan 21, 2021risk 0.00cvss —epss 0.02
In Eclipse OpenJ9 up to and including version 0.23, there is potential for a stack-based buffer overflow when the virtual machine or JNI natives are converting from UTF-8 characters to platform encoding.
- CVE-2020-14368Dec 14, 2020risk 0.00cvss —epss 0.01
A flaw was found in Eclipse Che in versions prior to 7.14.0 that impacts CodeReady Workspaces. When configured with cookies authentication, Theia IDE doesn't properly set the SameSite value, allowing a Cross-Site Request Forgery (CSRF) and consequently allowing a cross-site…
- CVE-2020-27218Nov 28, 2020risk 0.00cvss —epss 0.08
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request…
- CVE-2020-27216Oct 23, 2020risk 0.00cvss —epss 0.04
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a…
- CVE-2019-17639Jul 15, 2020risk 0.00cvss —epss 0.01
In Eclipse OpenJ9 prior to version 0.21 on Power platforms, calling the System.arraycopy method with a length longer than the length of the source or destination array can, in certain specially crafted code patterns, cause the current method to return prematurely with an…
- CVE-2019-17637Jul 15, 2020risk 0.00cvss —epss 0.01
In all versions of Eclipse Web Tools Platform through release 3.18 (2020-06), XML and DTD files referring to external entities could be exploited to send the contents of local files to a remote server when edited or validated, even when external entity resolution is disabled in…
- CVE-2019-17638Jul 9, 2020risk 0.00cvss —epss 0.11
In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice.…
- CVE-2020-9040Jun 8, 2020risk 0.00cvss —epss 0.01
Couchbase Server Java SDK before 2.7.1.1 allows a potential attacker to forge an SSL certificate and pose as the intended peer. An attacker can leverage this flaw by crafting a cryptographically valid certificate that will be accepted by Java SDK's Netty component due to missing…
- CVE-2020-10689Apr 3, 2020risk 0.00cvss —epss 0.01
A flaw was found in the Eclipse Che up to version 7.8.x, where it did not properly restrict access to workspace pods. An authenticated user can exploit this flaw to bypass JWT proxy and gain access to the workspace pods of another user. Successful exploitation requires knowledge…
- CVE-2019-17636Mar 10, 2020risk 0.00cvss —epss 0.01
In Eclipse Theia versions 0.3.9 through 0.15.0, one of the default pre-packaged Theia extensions is "Mini-Browser", published as "@theia/mini-browser" on npmjs.com. This extension, for its own needs, exposes a HTTP endpoint that allows to read the content of files on the host's…
- CVE-2019-17634Jan 17, 2020risk 0.00cvss —epss 0.02
Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a cross site scripting (XSS) vulnerability when generating an HTML report from a malicious heap dump. The user must chose todownload, open the malicious heap dump and generate an HTML report for the problem to…
- CVE-2019-17635Jan 17, 2020risk 0.00cvss —epss 0.01
Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a deserialization vulnerability if an index file of a parsed heap dump is replaced by a malicious version and the heap dump is reopened in Memory Analyzer. The user must chose to reopen an already parsed heap dump…
- CVE-2019-17633Dec 19, 2019risk 0.00cvss —epss 0.01
For Eclipse Che versions 6.16 to 7.3.0, with both authentication and TLS disabled, visiting a malicious web site could trigger the start of an arbitrary Che workspace. Che with no authentication and no TLS is not usually deployed on a public network but is often used for local…
- CVE-2019-17632Nov 25, 2019risk 0.00cvss —epss 0.02
In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118, the generation of default unhandled Error response content (in text/html and text/json Content-Type) does not escape Exception messages in stacktraces included in error output.
- CVE-2009-5046Nov 6, 2019risk 0.00cvss —epss 0.02
JSP Dump and Session Dump Servlet XSS in jetty before 6.1.22.
- CVE-2009-5045Nov 6, 2019risk 0.00cvss —epss 0.02
Dump Servlet information leak in jetty before 6.1.22.
- CVE-2009-5049Nov 6, 2019risk 0.00cvss —epss 0.02
WebApp JSP Snoop page XSS in jetty though 6.1.21.
- CVE-2019-17631Oct 17, 2019risk 0.00cvss —epss 0.02
From Eclipse OpenJ9 0.15 to 0.16, access to diagnostic operations such as causing a GC or creating a diagnostic file are permitted without any privilege checks.
- CVE-2019-11778Sep 18, 2019risk 0.00cvss —epss 0.01
If an MQTT v5 client connects to Eclipse Mosquitto versions 1.6.0 to 1.6.4 inclusive, sets a last will and testament, sets a will delay interval, sets a session expiry interval, and the will delay interval is set longer than the session expiry interval, then a use after free…
- CVE-2019-11773Sep 12, 2019risk 0.00cvss —epss 0.00
Prior to 0.1, AIX builds of Eclipse OMR contain unused RPATHs which may facilitate code injection and privilege elevation by local users.
- CVE-2019-11774Sep 12, 2019risk 0.00cvss —epss 0.01
Prior to 0.1, all builds of Eclipse OMR contain a bug where the loop versioner may fail to privatize a value that is pulled out of the loop by versioning - for example if there is a condition that is moved out of the loop that reads a field we may not privatize the value of that…
- CVE-2019-11776Aug 9, 2019risk 0.00cvss —epss 0.01
In Eclipse BIRT versions 1.0 to 4.7, the Report Viewer allows Reflected XSS in URL parameter. Attacker can execute the payload in victim's browser context.
- CVE-2019-11775Jul 30, 2019risk 0.00cvss —epss 0.01
All builds of Eclipse OpenJ9 prior to 0.15 contain a bug where the loop versioner may fail to privatize a value that is pulled out of the loop by versioning - for example if there is a condition that is moved out of the loop that reads a field we may not privatize the value of…
- CVE-2019-11772Jul 17, 2019risk 0.00cvss —epss 0.02
In Eclipse OpenJ9 prior to 0.15, the String.getBytes(int, int, byte[], int) method does not verify that the provided byte array is non-null nor that the provided index is in bounds when compiled by the JIT. This allows arbitrary writes to any 32-bit address or beyond the end of…
- CVE-2019-11771Jul 17, 2019risk 0.00cvss —epss 0.00
AIX builds of Eclipse OpenJ9 before 0.15.0 contain unused RPATHs which may facilitate code injection and privilege elevation by local users.
- CVE-2019-11770Jun 14, 2019risk 0.00cvss —epss 0.01
In Eclipse Buildship versions prior to 3.1.1, the build files indicate that this project is resolving dependencies over HTTP instead of HTTPS. Any of these artifacts could have been MITM to maliciously compromise them and infect the build artifacts that were produced.…
- CVE-2019-10246Apr 22, 2019risk 0.00cvss —epss 0.04
In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information…
- CVE-2019-10247Apr 22, 2019risk 0.00cvss —epss 0.06
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a…
- CVE-2019-10245Apr 19, 2019risk 0.00cvss —epss 0.02
In Eclipse OpenJ9 prior to the 0.14.0 release, the Java bytecode verifier incorrectly allows a method to execute past the end of bytecode array causing crashes. Eclipse OpenJ9 v0.14.0 correctly detects this case and rejects the attempted class load.
- CVE-2019-10242Apr 9, 2019risk 0.00cvss —epss 0.02
In Eclipse Kura versions up to 4.0.0, the SkinServlet did not checked the path passed during servlet call, potentially allowing path traversal in get requests for a limited number of file types.
- CVE-2019-10244Apr 9, 2019risk 0.00cvss —epss 0.02
In Eclipse Kura versions up to 4.0.0, the Web UI package and component services, the Artemis simple Mqtt component and the emulator position service (not part of the device distribution) could potentially be target of XXE attack due to an improper factory and parser…
- CVE-2019-10243Apr 9, 2019risk 0.00cvss —epss 0.01
In Eclipse Kura versions up to 4.0.0, Kura exposes the underlying Ui Web server version in its replies. This can be used as a hint by an attacker to specifically craft attacks to the web server run by Kura.
- CVE-2018-12545Mar 27, 2019risk 0.00cvss —epss 0.05
In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory…
- CVE-2017-7655Mar 27, 2019risk 0.00cvss —epss 0.02
In Eclipse Mosquitto version from 1.0 to 1.4.15, a Null Dereference vulnerability was found in the Mosquitto library which could lead to crashes for those applications using the library.
- CVE-2018-12551Mar 27, 2019risk 0.00cvss —epss 0.01
When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use a password file for authentication, any malformed data in the password file will be treated as valid. This typically means that the malformed data becomes a username and no password. If this occurs,…
- CVE-2018-12550Mar 27, 2019risk 0.00cvss —epss 0.01
When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use an ACL file, and that ACL file is empty, or contains only comments or blank lines, then Mosquitto will treat this as though no ACL file has been defined and use a default allow policy. The new behaviour…
- CVE-2018-12546Mar 27, 2019risk 0.00cvss —epss 0.01
In Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) when a client publishes a retained message to a topic, then has its access to that topic revoked, the retained message will still be published to clients that subscribe to that topic in the future. In some applications this…
- CVE-2019-9004Feb 22, 2019risk 0.00cvss —epss 0.02
In Eclipse Wakaama (formerly liblwm2m) 1.0, core/er-coap-13/er-coap-13.c in lwm2mserver in the LWM2M server mishandles invalid options, leading to a memory leak. Processing of a single crafted packet leads to leaking (wasting) 24 bytes of memory. This can lead to termination of…
- CVE-2018-12549Feb 11, 2019risk 0.00cvss —epss 0.02
In Eclipse OpenJ9 version 0.11.0, the OpenJ9 JIT compiler may incorrectly omit a null check on the receiver object of an Unsafe call when accelerating it.
- CVE-2018-12547Feb 11, 2019risk 0.00cvss —epss 0.03
In Eclipse OpenJ9, prior to the 0.12.0 release, the jio_snprintf() and jio_vsnprintf() native methods ignored the length parameter. This affects existing APIs that called the functions to exceed the allocated buffer. This functions were not directly callable by non-native user…
- CVE-2018-12548Jan 31, 2019risk 0.00cvss —epss 0.01
In OpenJDK + Eclipse OpenJ9 version 0.11.0 builds, the public jdk.crypto.jniprovider.NativeCrypto class contains public static natives which accept pointer values that are dereferenced in the native code.
- CVE-2018-20145Dec 13, 2018risk 0.00cvss —epss 0.02
Eclipse Mosquitto 1.5.x before 1.5.5 allows ACL bypass: if the option per_listener_settings was set to true, and the default listener was in use, and the default listener specified an acl_file, then the acl file was being ignored.
- CVE-2018-12543Nov 15, 2018risk 0.00cvss —epss 0.36
In Eclipse Mosquitto versions 1.5 to 1.5.2 inclusive, if a message is published to Mosquitto that has a topic starting with $, but that is not $SYS, e.g. $test/test, then an assert is triggered that should otherwise not be reachable and Mosquitto will exit.
- CVE-2009-4609Jan 13, 2010risk 0.00cvss —epss 0.02
The Dump Servlet in Mort Bay Jetty 6.x and 7.0.0 allows remote attackers to obtain sensitive information about internal variables and other data via a request to a URI ending in /dump/, as demonstrated by discovering the value of the getPathTranslated variable.
- CVE-2009-3579Oct 7, 2009risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the CookieDump.java sample application in Mort Bay Jetty 6.1.19 and 6.1.20 allows remote attackers to inject arbitrary web script or HTML via the Value parameter in a GET request to cookie/.
Page 4 of 5