Latest Eclipse Vulnerabilities

CVE-2023-6194
In Eclipse Memory Analyzer versions 0.7 to 1.14.0, report definition XML files are not filtered to prohibit document type definition (DTD) references to external entities. This means that if a user ch...
Eclipse Memory Analyzer>=0.7<=1.14.0
CVE-2023-5676
Eclipse OpenJ9 possible infinite busy hang
Eclipse Openj9<0.41.0
redhat/java-1.8.0-ibm<8.0.8.15
IBM Secure Proxy<=6.0.3
IBM Secure Proxy<=6.1.0
CVE-2023-4218
XXE in eclipse.platform / Eclipse IDE
Eclipse Eclipse Ide<4.29
Eclipse Org.eclipse.core.runtime<3.29.0
Eclipse Pde<3.13.2400
maven/org.eclipse.jdt:org.eclipse.jdt.ui<3.30.0
maven/org.eclipse.platform:org.eclipse.urischeme<1.3.100
maven/org.eclipse.platform:org.eclipse.ui.workbench<3.130.0
and 5 more
CVE-2023-4043
Parsson DoS when parsing numbers from untrusted sources
Eclipse Parsson<1.0.5
Eclipse Parsson>=1.1.0<1.1.4
maven/org.eclipse.parsson:project<1.0.5
maven/org.eclipse.parsson:project>=1.1.0<1.1.4
redhat/parsson<1.1.4
redhat/parsson<1.0.5
CVE-2023-5763
Glassfish remote code execution
Eclipse GlassFish>=5.0.0<=6.2.5
maven/org.glassfish.main.orb:orb-connector>=5.0.0<7.0.0
CVE-2023-5632
In Eclipse Mosquito before and including 2.0.5, establishing a connection to the mosquitto server without sending data causes the EPOLLOUT event to be added, which results excessive CPU consumption. T...
Eclipse Mosquitto<2.0.6
CVE-2023-36478
HTTP/2 HPACK integer overflow and buffer allocation
debian/jetty9<=9.4.16-0+deb10u1<=9.4.39-3+deb11u2
redhat/http2-hpack<10.0.16
redhat/http2-hpack<11.0.16
redhat/http2-hpack<9.4.53
redhat/http3-qpack<10.0.16
redhat/http3-qpack<11.0.161
and 15 more
CVE-2023-44487
- Rapid Reset HTTP/2 vulnerability
Microsoft Windows 11=21H2
Microsoft Windows 11=21H2
Microsoft Windows Server 2022
Microsoft Windows Server 2022
Microsoft Windows 11=22H2
Microsoft Windows 11=22H2
and 556 more
CVE-2023-3592
In Mosquitto before 2.0.16, a memory leak occurs when clients send v5 CONNECT packets with a will message that contains invalid property types.
<2.0.16
Eclipse Mosquitto<2.0.16
debian/mosquitto<=2.0.11-1<=2.0.11-1.2
CVE-2023-4760
In Eclipse RAP versions from 3.0.0 up to and including 3.25.0, Remote Code Execution is possible on Windows when using the FileUpload component. The reason for this is a not completely secure ex...
Eclipse Remote Application Platform>=3.0.0<=3.25.0
CVE-2023-41900
Jetty's OpenId Revoked authentication allows one request
Eclipse Jetty>=9.4.21<9.4.52
Eclipse Jetty>=10.0.0<10.0.16
Eclipse Jetty>=11.0.0<11.0.16
Debian Debian Linux=11.0
Debian Debian Linux=12.0
maven/org.eclipse.jetty:jetty-openid>=11.0.0<=11.0.15
and 8 more
CVE-2023-40167
### Impact Jetty accepts the '+' character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such reque...
maven/org.eclipse.jetty:jetty-http=12.0.0
maven/org.eclipse.jetty:jetty-http>=11.0.0<=11.0.15
maven/org.eclipse.jetty:jetty-http>=10.0.0<=10.0.15
maven/org.eclipse.jetty:jetty-http>=9.0.0<=9.4.51
Eclipse Jetty>=9.0.0<9.4.52
Eclipse Jetty>=10.0.0<10.0.16
and 17 more
CVE-2023-36479
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user send...
maven/org.eclipse.jetty.ee8:jetty-ee8-servlets<=12.0.0-beta1
maven/org.eclipse.jetty.ee9:jetty-ee9-servlets<=12.0.0-beta1
maven/org.eclipse.jetty.ee10:jetty-ee10-servlets<=12.0.0-beta1
maven/org.eclipse.jetty:jetty-servlets>=11.0.0<=11.0.15
maven/org.eclipse.jetty:jetty-servlets>=10.0.0<=10.0.15
maven/org.eclipse.jetty:jetty-servlets>=9.0.0<=9.4.51
and 18 more
CVE-2023-4759
Improper handling of case insensitive filesystems in Eclipse JGit allows arbitrary file write
Eclipse JGit>=6.6.0<6.6.1.202309021850
Eclipse JGit>=6.7.0<6.7.0.202309050840
maven/org.eclipse.jgit:org.eclipse.jgit<5.13.3.202401111512-r
maven/org.eclipse.jgit:org.eclipse.jgit>=6.0.0.202111291000-r<=6.6.0.202305301015-r
Eclipse JGit<6.6.0.202305301015
Eclipse JGit<5.13.3.202401111512-r
and 1 more
CVE-2023-0809
In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets.
debian/mosquitto<=2.0.11-1<=2.0.11-1.2
Eclipse Mosquitto<2.0.16
redhat/mosquitto<2.0.16
CVE-2023-28366
The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond t...
>=1.3.2<2.0.16
Eclipse Mosquitto>=1.3.2<2.0.16
debian/mosquitto<=1.5.7-1+deb10u1<=2.0.11-1<=2.0.11-1.2
CVE-2023-41034
### Impact `DDFFileParser` and `DefaultDDFFileValidator` (and so `ObjectLoader`) are vulnerable to [XXE Attacks](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing). ...
maven/org.eclipse.leshan:leshan-core>=2.0.0-M1<2.0.0-M13
maven/org.eclipse.leshan:leshan-core<1.5.0
Eclipse Leshan<1.5.0
Eclipse Leshan=2.0.0-milestone1
Eclipse Leshan=2.0.0-milestone10
Eclipse Leshan=2.0.0-milestone11
and 9 more
CVE-2023-2597
Eclipse Openj9 is vulnerable to a buffer overflow, caused by improper bounds checking by the getCachedUTFString() function. By using specially crafted input, a local authenticated attacker could overf...
Eclipse Openj9<0.38.0
IBM Cloud Pak for Business Automation<=V23.0.1
IBM Cloud Pak for Business Automation<=V21.0.3 - V21.0.3-IF022
IBM Cloud Pak for Business Automation<=V22.0.2 - V22.0.2-IF006 and later fixesV22.0.1 - V22.0.1-IF006 and later fixesV21.0.2 - V21.0.2-IF012 and later fixesV21.0.1 - V21.0.1-IF007 and later fixesV20.0.1 - V20.0.3 and later fixesV19.0.1 - V19.0.3 and later fixesV18.0.0 - V18.0.2 and later fixes
CVE-2023-26049
Eclipse Jetty could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw during nonstandard cookie parsing. By sending a specially crafted request to tamper with the...
maven/org.eclipse.jetty:jetty-server<9.4.51.v20230217
maven/org.eclipse.jetty:jetty-server>=12.0.0alpha0<12.0.0.beta0
maven/org.eclipse.jetty:jetty-server>=11.0.0<11.0.14
maven/org.eclipse.jetty:jetty-server>=10.0.0<10.0.14
Eclipse Jetty<9.4.51
Eclipse Jetty>=10.0.0<10.0.14
and 18 more
CVE-2023-26048
### Impact Servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when t...
maven/org.eclipse.jetty:jetty-server<9.4.51.v20230217
maven/org.eclipse.jetty:jetty-server>=11.0.0<11.0.14
maven/org.eclipse.jetty:jetty-server>=10.0.0<10.0.14
Eclipse Jetty<9.4.51
Eclipse Jetty>=10.0.0<10.0.14
Eclipse Jetty>=11.0.0<11.0.14
and 5 more
CVE-2023-0100
In Eclipse BIRT, starting from version 2.6.2, the default configuration allowed to retrieve a report from the same host using an absolute HTTP path for the report parameter (e.g. __report=http://xyz.c...
Eclipse Business Intelligence And Reporting Tools>=2.6.2<4.13.0
CVE-2023-24815
### Summary When running vertx web applications that serve files using `StaticHandler` on Windows Operating Systems and Windows File Systems, if the mount point is a wildcard (`*`) then an attacker c...
maven/io.vertx:vertx-web>=4.0.0<4.3.8
redhat/vertx-web<4.3.8
Eclipse Vert.x-Web>=4.0.0<4.3.8
IBM Cloud Pak for Business Automation<=V23.0.1 - V23.0.1-IF001
IBM Cloud Pak for Business Automation<=V21.0.3 - V21.0.3-IF023
IBM Cloud Pak for Business Automation<=V22.0.2 - V22.0.2-IF006 and later fixes V22.0.1 - V22.0.1-IF006 and later fixes V21.0.2 - V21.0.2-IF012 and later fixes V21.0.1 - V21.0.1-IF007 and later fixes V20.0.1 - V20.0.3 and later fixes V19.0.1 - V19.0.3 and later fixes V18.0.0 - V18.0.2 and later fixes
CVE-2022-36022
Deeplearning4J is a suite of tools for deploying and training deep learning models using the JVM. Packages org.deeplearning4j:dl4j-examples and org.deeplearning4j:platform-tests through version 1.0.0-...
Eclipse Deeplearning4j<1.0.0
Eclipse Deeplearning4j=1.0.0-beta5
Eclipse Deeplearning4j=1.0.0-beta6
Eclipse Deeplearning4j=1.0.0-beta7
Eclipse Deeplearning4j=1.0.0-milestone1
Eclipse Deeplearning4j=1.0.0-milestone1.1
and 1 more
CVE-2022-39368
Eclipse Californium is a Java implementation of RFC7252 - Constrained Application Protocol for IoT Cloud services. In versions prior to 3.7.0, and 2.7.4, Californium is vulnerable to a Denial of Servi...
Eclipse Californium<2.7.4
Eclipse Californium>=3.0.0<3.7.0
CVE-2022-3676
Eclipse Openj9 could allow a remote attacker to bypass security restrictions, caused by improper runtime type check by the interface calls. By sending a specially-crafted request using bytecode, an at...
Eclipse Openj9<0.35.0
IBM Cloud Pak for Business Automation<=V22.0.2
IBM Cloud Pak for Business Automation<=V21.0.3 - V21.0.3-IF016
IBM Cloud Pak for Business Automation<=V22.0.1 - V22.0.1-IF006 and later fixes V21.0.2 - V21.0.2-IF012 and later fixesV21.0.1 - V21.0.1-IF007 and later fixesV20.0.1 - V20.0.3 and later fixesV19.0.1 - V19.0.3 and later fixesV18.0.0 - V18.0.2 and later fixes
CVE-2022-25897
The package org.eclipse.milo:sdk-server before 0.6.8 are vulnerable to Denial of Service (DoS) when bypassing the limitations for excessive memory consumption by sending multiple CloseSession requests...
Eclipse Milo<0.6.8
CVE-2022-2838
In Eclipse Sphinx™ before version 0.13.1, Apache Xerces XML Parser was used without disabling processing of referenced external entities allowing the injection of arbitrary definitions which is able t...
Eclipse Sphinx>=0.7.0<0.13.1
CVE-2022-2576
In Eclipse Californium version 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS resumption handshake falls back to a DTLS full handshake on a parameter mismatch without using a HelloVerifyRequest. Especially, if...
Eclipse Californium>=2.0.0<=2.7.2
Eclipse Californium>=3.0.0<=3.5.0
CVE-2015-8031
In versions prior to 3.3.2, Hudson exhibits a flaw in its XML API processing that can allow access to potentially sensitive information on the filesystem of the Hudson master server.
maven/org.jvnet.hudson.main:hudson-core<3.3.2
Eclipse Hudson<3.2.2
CVE-2021-41037
In Eclipse p2, installable units are able to alter the Eclipse Platform installation and the local machine via touchpoints during installation. Those touchpoints can, for example, alter the command-li...
Eclipse Equinox P2>=1.0.0
CVE-2021-41042
In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external D...
Eclipse Lyo>=1.0.0<=4.1.0
CVE-2022-2048
### Description Invalid HTTP/2 requests (for example, invalid URIs) are incorrectly handled by writing a blocking error response directly from the selector thread. If the client manages to exhaust the...
redhat/jenkins<0:2.401.1.1686831596-3.el8
redhat/jenkins<0:2.361.1.1672840472-1.el8
redhat/jenkins<0:2.361.1.1675668150-1.el8
maven/org.eclipse.jetty.http2:http2-server>=11.0.0<11.0.10
maven/org.eclipse.jetty.http2:http2-server>=10.0.0<10.0.10
maven/org.eclipse.jetty.http2:http2-server<9.4.47
and 14 more
CVE-2022-2191
Eclipse Jetty is vulnerable to a denial of service, caused by a flaw with SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths. By sending a specially-...
Eclipse Jetty>=10.0.0<=10.0.9
Eclipse Jetty>=11.0.0<=11.0.9
IBM Cognos Command Center<=10.2.4.1
CVE-2022-2047
Eclipse Jetty could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw in the HttpURI class. By sending a specially-crafted request, an attacker could exploit this...
Eclipse Jetty<9.4.46
Eclipse Jetty>=10.0.0<10.0.9
Eclipse Jetty>=11.0.0<=11.0.9
Debian Debian Linux=10.0
Debian Debian Linux=11.0
Netapp Element Plug-in For Vcenter Server
and 6 more
CVE-2021-38441
Eclipse CycloneDDS versions prior to 0.8.0 are vulnerable to a write-what-where condition, which may allow an attacker to write arbitrary values in the XML parser.
Eclipse CycloneDDS<0.8.0
CVE-2021-38443
Eclipse CycloneDDS<0.8.0
CVE-2021-41041
In Eclipse Openj9 before version 0.32.0, Java 8 & 11 fail to throw the exception captured during bytecode verification when verification is triggered by a MethodHandle invocation, allowing unverified ...
Eclipse Openj9<0.32.0
Oracle Java SE=8
Oracle Java SE=11
CVE-2022-0673
A flaw was found in LemMinX in versions prior to 0.19.0. Cache poisoning of external schema files due to directory traversal.
Eclipse Lemminx<0.19.0
CVE-2022-0672
A flaw was found in LemMinX in versions prior to 0.19.0. Insecure redirect could allow unauthorized access to sensitive information locally if LemMinX is run under a privileged user.
Eclipse Lemminx<0.19.0
CVE-2021-41040
In Eclipse Wakaama, ever since its inception until 2021-01-14, the CoAP parsing code does not properly sanitize network-received data.
Eclipse Wakaama=1.0
CVE-2021-41039
In versions 1.6 to 2.0.11 of Eclipse Mosquitto, an MQTT v5 client connecting with a large number of user-property properties could cause excessive CPU usage, leading to a loss of performance and possi...
Eclipse Mosquitto>=1.6<=2.0.11
debian/mosquitto<=2.0.11-1
CVE-2021-41038
In versions of the @theia/plugin-ext component of Eclipse Theia prior to 1.18.0, Webview contents can be hijacked via postMessage().
Eclipse Theia<1.18.0
CVE-2021-41036
In versions prior to 1.1 of the Eclipse Paho MQTT C Client, the client does not check rem_len size in readpacket.
Eclipse Paho Mqtt C\/c\+\+ Client<1.1.0
CVE-2021-41035
Eclipse Openj9 could allow a remote attacker to gain elevated privileges on the system, caused by not throwing IllegalAccessError for MethodHandles that invoke inaccessible interface methods. By persu...
redhat/java<1.8.0-ibm-1:1.8.0.7.0-1jpp.1.el7
redhat/java<1.7.1-ibm-1:1.7.1.5.0-1jpp.1.el7
redhat/java<1.8.0-ibm-1:1.8.0.7.0-1.el8_5
Eclipse Openj9<0.29.0
IBM Cognos Analytics<=12.0.0-12.0.1
IBM Cognos Analytics<=11.2.0-11.2.4 FP2
and 1 more
CVE-2021-41034
The build of some language stacks of Eclipse Che version 6 includes pulling some binaries from an unsecured HTTP endpoint. As a consequence the builds of such stacks are vulnerable to MITM attacks tha...
Eclipse Che>=6.0.0<7.0.0
CVE-2021-41033
In all released versions of Eclipse Equinox, at least until version 4.21 (September 2021), installation can be vulnerable to man-in-the-middle attack if using p2 repos that are HTTP; that can then be ...
Eclipse Equinox<4.21
Eclipse Equinox=4.21
CVE-2021-32835
Eclipse Keti is a service that was designed to protect RESTfuls API using Attribute Based Access Control (ABAC). In Keti a sandbox escape vulnerability may lead to post-authentication Remote Code exec...
Eclipse Keti
CVE-2021-32834
Eclipse Keti is a service that was designed to protect RESTfuls API using Attribute Based Access Control (ABAC). In Keti a user able to create Policy Sets can run arbitrary code by sending malicious G...
Eclipse Keti
CVE-2021-34436
Eclipse Theia>=0.1.1<=0.2.0
CVE-2021-34435
Eclipse Theia>=0.3.9<=1.8.1

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203