VYPR

Vendor CVEs

Eclipse

All CVEs

209 total · sorted by risk
  • CVE-2021-28162Mar 12, 2021
    risk 0.00cvss epss 0.01

    In Eclipse Theia versions up to and including 0.16.0, in the notification messages there is no HTML escaping, so Javascript code can run.

  • CVE-2021-28161Mar 12, 2021
    risk 0.00cvss epss 0.01

    In Eclipse Theia versions up to and including 1.8.0, in the debug console there is no HTML escaping, so arbitrary Javascript code can be injected.

  • CVE-2020-27225Mar 9, 2021
    risk 0.00cvss epss 0.00

    In versions 4.18 and earlier of the Eclipse Platform, the Help Subsystem does not authenticate active help requests to the local help web server, allowing an unauthenticated local attacker to issue active help commands to the associated Eclipse Platform process or Eclipse Rich…

  • CVE-2020-27224Feb 24, 2021
    risk 0.00cvss epss 0.02

    In Eclipse Theia versions up to and including 1.2.0, the Markdown Preview (@theia/preview), can be exploited to execute arbitrary code.

  • CVE-2020-27222Feb 3, 2021
    risk 0.00cvss epss 0.01

    In Eclipse Californium version 2.3.0 to 2.6.0, the certificate based (x509 and RPK) DTLS handshakes accidentally fails, because the DTLS server side sticks to a wrong internal state. That wrong internal state is set by a previous certificate based DTLS handshake failure with TLS…

  • CVE-2020-27221Jan 21, 2021
    risk 0.00cvss epss 0.02

    In Eclipse OpenJ9 up to and including version 0.23, there is potential for a stack-based buffer overflow when the virtual machine or JNI natives are converting from UTF-8 characters to platform encoding.

  • CVE-2020-14368Dec 14, 2020
    risk 0.00cvss epss 0.01

    A flaw was found in Eclipse Che in versions prior to 7.14.0 that impacts CodeReady Workspaces. When configured with cookies authentication, Theia IDE doesn't properly set the SameSite value, allowing a Cross-Site Request Forgery (CSRF) and consequently allowing a cross-site…

  • CVE-2020-27218Nov 28, 2020
    risk 0.00cvss epss 0.08

    In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request…

  • CVE-2020-27216Oct 23, 2020
    risk 0.00cvss epss 0.04

    In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a…

  • CVE-2019-17639Jul 15, 2020
    risk 0.00cvss epss 0.01

    In Eclipse OpenJ9 prior to version 0.21 on Power platforms, calling the System.arraycopy method with a length longer than the length of the source or destination array can, in certain specially crafted code patterns, cause the current method to return prematurely with an…

  • CVE-2019-17637Jul 15, 2020
    risk 0.00cvss epss 0.01

    In all versions of Eclipse Web Tools Platform through release 3.18 (2020-06), XML and DTD files referring to external entities could be exploited to send the contents of local files to a remote server when edited or validated, even when external entity resolution is disabled in…

  • CVE-2019-17638Jul 9, 2020
    risk 0.00cvss epss 0.11

    In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice.…

  • CVE-2020-9040Jun 8, 2020
    risk 0.00cvss epss 0.01

    Couchbase Server Java SDK before 2.7.1.1 allows a potential attacker to forge an SSL certificate and pose as the intended peer. An attacker can leverage this flaw by crafting a cryptographically valid certificate that will be accepted by Java SDK's Netty component due to missing…

  • CVE-2020-10689Apr 3, 2020
    risk 0.00cvss epss 0.01

    A flaw was found in the Eclipse Che up to version 7.8.x, where it did not properly restrict access to workspace pods. An authenticated user can exploit this flaw to bypass JWT proxy and gain access to the workspace pods of another user. Successful exploitation requires knowledge…

  • CVE-2019-17636Mar 10, 2020
    risk 0.00cvss epss 0.01

    In Eclipse Theia versions 0.3.9 through 0.15.0, one of the default pre-packaged Theia extensions is "Mini-Browser", published as "@theia/mini-browser" on npmjs.com. This extension, for its own needs, exposes a HTTP endpoint that allows to read the content of files on the host's…

  • CVE-2019-17634Jan 17, 2020
    risk 0.00cvss epss 0.02

    Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a cross site scripting (XSS) vulnerability when generating an HTML report from a malicious heap dump. The user must chose todownload, open the malicious heap dump and generate an HTML report for the problem to…

  • CVE-2019-17635Jan 17, 2020
    risk 0.00cvss epss 0.01

    Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a deserialization vulnerability if an index file of a parsed heap dump is replaced by a malicious version and the heap dump is reopened in Memory Analyzer. The user must chose to reopen an already parsed heap dump…

  • CVE-2019-17633Dec 19, 2019
    risk 0.00cvss epss 0.01

    For Eclipse Che versions 6.16 to 7.3.0, with both authentication and TLS disabled, visiting a malicious web site could trigger the start of an arbitrary Che workspace. Che with no authentication and no TLS is not usually deployed on a public network but is often used for local…

  • CVE-2019-17632Nov 25, 2019
    risk 0.00cvss epss 0.02

    In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118, the generation of default unhandled Error response content (in text/html and text/json Content-Type) does not escape Exception messages in stacktraces included in error output.

  • CVE-2009-5046Nov 6, 2019
    risk 0.00cvss epss 0.02

    JSP Dump and Session Dump Servlet XSS in jetty before 6.1.22.

  • CVE-2009-5045Nov 6, 2019
    risk 0.00cvss epss 0.02

    Dump Servlet information leak in jetty before 6.1.22.

  • CVE-2009-5049Nov 6, 2019
    risk 0.00cvss epss 0.02

    WebApp JSP Snoop page XSS in jetty though 6.1.21.

  • CVE-2019-17631Oct 17, 2019
    risk 0.00cvss epss 0.02

    From Eclipse OpenJ9 0.15 to 0.16, access to diagnostic operations such as causing a GC or creating a diagnostic file are permitted without any privilege checks.

  • CVE-2019-11778Sep 18, 2019
    risk 0.00cvss epss 0.01

    If an MQTT v5 client connects to Eclipse Mosquitto versions 1.6.0 to 1.6.4 inclusive, sets a last will and testament, sets a will delay interval, sets a session expiry interval, and the will delay interval is set longer than the session expiry interval, then a use after free…

  • CVE-2019-11773Sep 12, 2019
    risk 0.00cvss epss 0.00

    Prior to 0.1, AIX builds of Eclipse OMR contain unused RPATHs which may facilitate code injection and privilege elevation by local users.

  • CVE-2019-11774Sep 12, 2019
    risk 0.00cvss epss 0.01

    Prior to 0.1, all builds of Eclipse OMR contain a bug where the loop versioner may fail to privatize a value that is pulled out of the loop by versioning - for example if there is a condition that is moved out of the loop that reads a field we may not privatize the value of that…

  • CVE-2019-11776Aug 9, 2019
    risk 0.00cvss epss 0.01

    In Eclipse BIRT versions 1.0 to 4.7, the Report Viewer allows Reflected XSS in URL parameter. Attacker can execute the payload in victim's browser context.

  • CVE-2019-11775Jul 30, 2019
    risk 0.00cvss epss 0.01

    All builds of Eclipse OpenJ9 prior to 0.15 contain a bug where the loop versioner may fail to privatize a value that is pulled out of the loop by versioning - for example if there is a condition that is moved out of the loop that reads a field we may not privatize the value of…

  • CVE-2019-11772Jul 17, 2019
    risk 0.00cvss epss 0.02

    In Eclipse OpenJ9 prior to 0.15, the String.getBytes(int, int, byte[], int) method does not verify that the provided byte array is non-null nor that the provided index is in bounds when compiled by the JIT. This allows arbitrary writes to any 32-bit address or beyond the end of…

  • CVE-2019-11771Jul 17, 2019
    risk 0.00cvss epss 0.00

    AIX builds of Eclipse OpenJ9 before 0.15.0 contain unused RPATHs which may facilitate code injection and privilege elevation by local users.

  • CVE-2019-11770Jun 14, 2019
    risk 0.00cvss epss 0.01

    In Eclipse Buildship versions prior to 3.1.1, the build files indicate that this project is resolving dependencies over HTTP instead of HTTPS. Any of these artifacts could have been MITM to maliciously compromise them and infect the build artifacts that were produced.…

  • CVE-2019-10246Apr 22, 2019
    risk 0.00cvss epss 0.04

    In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information…

  • CVE-2019-10247Apr 22, 2019
    risk 0.00cvss epss 0.06

    In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a…

  • CVE-2019-10245Apr 19, 2019
    risk 0.00cvss epss 0.02

    In Eclipse OpenJ9 prior to the 0.14.0 release, the Java bytecode verifier incorrectly allows a method to execute past the end of bytecode array causing crashes. Eclipse OpenJ9 v0.14.0 correctly detects this case and rejects the attempted class load.

  • CVE-2019-10242Apr 9, 2019
    risk 0.00cvss epss 0.02

    In Eclipse Kura versions up to 4.0.0, the SkinServlet did not checked the path passed during servlet call, potentially allowing path traversal in get requests for a limited number of file types.

  • CVE-2019-10244Apr 9, 2019
    risk 0.00cvss epss 0.02

    In Eclipse Kura versions up to 4.0.0, the Web UI package and component services, the Artemis simple Mqtt component and the emulator position service (not part of the device distribution) could potentially be target of XXE attack due to an improper factory and parser…

  • CVE-2019-10243Apr 9, 2019
    risk 0.00cvss epss 0.01

    In Eclipse Kura versions up to 4.0.0, Kura exposes the underlying Ui Web server version in its replies. This can be used as a hint by an attacker to specifically craft attacks to the web server run by Kura.

  • CVE-2018-12545Mar 27, 2019
    risk 0.00cvss epss 0.05

    In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory…

  • CVE-2017-7655Mar 27, 2019
    risk 0.00cvss epss 0.02

    In Eclipse Mosquitto version from 1.0 to 1.4.15, a Null Dereference vulnerability was found in the Mosquitto library which could lead to crashes for those applications using the library.

  • CVE-2018-12551Mar 27, 2019
    risk 0.00cvss epss 0.01

    When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use a password file for authentication, any malformed data in the password file will be treated as valid. This typically means that the malformed data becomes a username and no password. If this occurs,…

  • CVE-2018-12550Mar 27, 2019
    risk 0.00cvss epss 0.01

    When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use an ACL file, and that ACL file is empty, or contains only comments or blank lines, then Mosquitto will treat this as though no ACL file has been defined and use a default allow policy. The new behaviour…

  • CVE-2018-12546Mar 27, 2019
    risk 0.00cvss epss 0.01

    In Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) when a client publishes a retained message to a topic, then has its access to that topic revoked, the retained message will still be published to clients that subscribe to that topic in the future. In some applications this…

  • CVE-2019-9004Feb 22, 2019
    risk 0.00cvss epss 0.02

    In Eclipse Wakaama (formerly liblwm2m) 1.0, core/er-coap-13/er-coap-13.c in lwm2mserver in the LWM2M server mishandles invalid options, leading to a memory leak. Processing of a single crafted packet leads to leaking (wasting) 24 bytes of memory. This can lead to termination of…

  • CVE-2018-12549Feb 11, 2019
    risk 0.00cvss epss 0.02

    In Eclipse OpenJ9 version 0.11.0, the OpenJ9 JIT compiler may incorrectly omit a null check on the receiver object of an Unsafe call when accelerating it.

  • CVE-2018-12547Feb 11, 2019
    risk 0.00cvss epss 0.03

    In Eclipse OpenJ9, prior to the 0.12.0 release, the jio_snprintf() and jio_vsnprintf() native methods ignored the length parameter. This affects existing APIs that called the functions to exceed the allocated buffer. This functions were not directly callable by non-native user…

  • CVE-2018-12548Jan 31, 2019
    risk 0.00cvss epss 0.01

    In OpenJDK + Eclipse OpenJ9 version 0.11.0 builds, the public jdk.crypto.jniprovider.NativeCrypto class contains public static natives which accept pointer values that are dereferenced in the native code.

  • CVE-2018-20145Dec 13, 2018
    risk 0.00cvss epss 0.02

    Eclipse Mosquitto 1.5.x before 1.5.5 allows ACL bypass: if the option per_listener_settings was set to true, and the default listener was in use, and the default listener specified an acl_file, then the acl file was being ignored.

  • CVE-2018-12543Nov 15, 2018
    risk 0.00cvss epss 0.36

    In Eclipse Mosquitto versions 1.5 to 1.5.2 inclusive, if a message is published to Mosquitto that has a topic starting with $, but that is not $SYS, e.g. $test/test, then an assert is triggered that should otherwise not be reachable and Mosquitto will exit.

  • CVE-2009-4609Jan 13, 2010
    risk 0.00cvss epss 0.02

    The Dump Servlet in Mort Bay Jetty 6.x and 7.0.0 allows remote attackers to obtain sensitive information about internal variables and other data via a request to a URI ending in /dump/, as demonstrated by discovering the value of the getPathTranslated variable.

  • CVE-2009-3579Oct 7, 2009
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in the CookieDump.java sample application in Mort Bay Jetty 6.1.19 and 6.1.20 allows remote attackers to inject arbitrary web script or HTML via the Value parameter in a GET request to cookie/.

Page 4 of 5