What is CVE-2021-41037?

CVE-2021-41037 is a vulnerability in Eclipse p2 that allows installable units to alter the Eclipse Platform installation and the local machine during installation.

How does CVE-2021-41037 affect Eclipse Equinox P2?

CVE-2021-41037 affects Eclipse Equinox P2 by allowing installable units to modify the Eclipse Platform installation and the local machine through touchpoints during installation.

What is the severity of CVE-2021-41037?

CVE-2021-41037 has a severity level of high, with a CVSS severity score of 8.

How can CVE-2021-41037 be exploited?

CVE-2021-41037 can be exploited by malicious installable units that are able to execute touchpoints during Eclipse p2 installation.

Is there a fix for CVE-2021-41037?

Yes, updates and patches are available to address and fix the vulnerability.

Vulnerability/
CVE-2021-41037

high

CWE

829

8/7/2022

15/7/2022

CVE-2021-41037

First published: Fri Jul 08 2022(Updated: )

In Eclipse p2, installable units are able to alter the Eclipse Platform installation and the local machine via touchpoints during installation. Those touchpoints can, for example, alter the command-line used to start the application, injecting things like agent or other settings that usually require particular attention in term of security. Although p2 has built-in strategies to ensure artifacts are signed and then to help establish trust, there is no such strategy for the metadata part that does configure such touchpoints. As a result, it's possible to install a unit that will run malicious code during installation without user receiving any warning about this installation step being risky when coming from untrusted source.

Credit: emo@eclipse.org

Affected Software	Affected Version	How to fix
Eclipse Equinox P2	>=1.0.0

Never miss a vulnerability like this again

Reference Links

https://bugs.eclipse.org/bugs/show_bug.cgi?id=577029

Frequently Asked Questions

What is CVE-2021-41037?
CVE-2021-41037 is a vulnerability in Eclipse p2 that allows installable units to alter the Eclipse Platform installation and the local machine during installation.
How does CVE-2021-41037 affect Eclipse Equinox P2?
CVE-2021-41037 affects Eclipse Equinox P2 by allowing installable units to modify the Eclipse Platform installation and the local machine through touchpoints during installation.
What is the severity of CVE-2021-41037?
CVE-2021-41037 has a severity level of high, with a CVSS severity score of 8.
How can CVE-2021-41037 be exploited?
CVE-2021-41037 can be exploited by malicious installable units that are able to execute touchpoints during Eclipse p2 installation.
Is there a fix for CVE-2021-41037?
Yes, updates and patches are available to address and fix the vulnerability.

collector/nvd-index
agent/references
agent/author
agent/severity
agent/weakness
agent/tags
agent/type
agent/event
agent/description
agent/last-modified-date
agent/softwarecombine
agent/first-publish-date
vendor/eclipse
canonical/eclipse equinox p2
version/eclipse equinox p2/1.0.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.