Latest Eclipse Vulnerabilities

In Eclipse Memory Analyzer versions 0.7 to 1.14.0, report definition XML files are not filtered to prohibit document type definition (DTD) references to external entities. This means that if a user ch...
Eclipse Memory Analyzer>=0.7<=1.14.0
Eclipse OpenJ9 possible infinite busy hang
Eclipse Openj9<0.41.0
redhat/java-1.8.0-ibm<8.0.8.15
IBM Secure Proxy<=6.0.3
IBM Secure Proxy<=6.1.0
XXE in eclipse.platform / Eclipse IDE
Eclipse Eclipse Ide<4.29
Eclipse Org.eclipse.core.runtime<3.29.0
Eclipse Pde<3.13.2400
maven/org.eclipse.jdt:org.eclipse.jdt.ui<3.30.0
maven/org.eclipse.platform:org.eclipse.urischeme<1.3.100
maven/org.eclipse.platform:org.eclipse.ui.workbench<3.130.0
and 5 more
Parsson DoS when parsing numbers from untrusted sources
Eclipse Parsson<1.0.5
Eclipse Parsson>=1.1.0<1.1.4
maven/org.eclipse.parsson:project<1.0.5
maven/org.eclipse.parsson:project>=1.1.0<1.1.4
redhat/parsson<1.1.4
redhat/parsson<1.0.5
Glassfish remote code execution
Eclipse GlassFish>=5.0.0<=6.2.5
maven/org.glassfish.main.orb:orb-connector>=5.0.0<7.0.0
In Eclipse Mosquito before and including 2.0.5, establishing a connection to the mosquitto server without sending data causes the EPOLLOUT event to be added, which results excessive CPU consumption. T...
Eclipse Mosquitto<2.0.6
HTTP/2 HPACK integer overflow and buffer allocation
debian/jetty9<=9.4.16-0+deb10u1<=9.4.39-3+deb11u2
redhat/http2-hpack<10.0.16
redhat/http2-hpack<11.0.16
redhat/http2-hpack<9.4.53
redhat/http3-qpack<10.0.16
redhat/http3-qpack<11.0.161
and 15 more
- Rapid Reset HTTP/2 vulnerability
Microsoft Windows 11=21H2
Microsoft Windows 11=21H2
Microsoft Windows Server 2022
Microsoft Windows Server 2022
Microsoft Windows 11=22H2
Microsoft Windows 11=22H2
and 553 more
In Mosquitto before 2.0.16, a memory leak occurs when clients send v5 CONNECT packets with a will message that contains invalid property types.
<2.0.16
Eclipse Mosquitto<2.0.16
debian/mosquitto<=2.0.11-1<=2.0.11-1.2
In Eclipse RAP versions from 3.0.0 up to and including 3.25.0, Remote Code Execution is possible on Windows when using the FileUpload component. The reason for this is a not completely secure ex...
Eclipse Remote Application Platform>=3.0.0<=3.25.0
Jetty's OpenId Revoked authentication allows one request
Eclipse Jetty>=9.4.21<9.4.52
Eclipse Jetty>=10.0.0<10.0.16
Eclipse Jetty>=11.0.0<11.0.16
Debian Debian Linux=11.0
Debian Debian Linux=12.0
maven/org.eclipse.jetty:jetty-openid>=11.0.0<=11.0.15
and 8 more
### Impact Jetty accepts the '+' character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such reque...
maven/org.eclipse.jetty:jetty-http=12.0.0
maven/org.eclipse.jetty:jetty-http>=11.0.0<=11.0.15
maven/org.eclipse.jetty:jetty-http>=10.0.0<=10.0.15
maven/org.eclipse.jetty:jetty-http>=9.0.0<=9.4.51
Eclipse Jetty>=9.0.0<9.4.52
Eclipse Jetty>=10.0.0<10.0.16
and 17 more
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user send...
maven/org.eclipse.jetty.ee8:jetty-ee8-servlets<=12.0.0-beta1
maven/org.eclipse.jetty.ee9:jetty-ee9-servlets<=12.0.0-beta1
maven/org.eclipse.jetty.ee10:jetty-ee10-servlets<=12.0.0-beta1
maven/org.eclipse.jetty:jetty-servlets>=11.0.0<=11.0.15
maven/org.eclipse.jetty:jetty-servlets>=10.0.0<=10.0.15
maven/org.eclipse.jetty:jetty-servlets>=9.0.0<=9.4.51
and 18 more
Improper handling of case insensitive filesystems in Eclipse JGit allows arbitrary file write
Eclipse JGit>=6.6.0<6.6.1.202309021850
Eclipse JGit>=6.7.0<6.7.0.202309050840
Eclipse JGit<6.6.0.202305301015
maven/org.eclipse.jgit:org.eclipse.jgit<5.13.3.202401111512-r
maven/org.eclipse.jgit:org.eclipse.jgit>=6.0.0.202111291000-r<=6.6.0.202305301015-r
In Mosquitto before 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets.
debian/mosquitto<=2.0.11-1<=2.0.11-1.2
Eclipse Mosquitto<2.0.16
redhat/mosquitto<2.0.16
The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond t...
>=1.3.2<2.0.16
Eclipse Mosquitto>=1.3.2<2.0.16
debian/mosquitto<=1.5.7-1+deb10u1<=2.0.11-1<=2.0.11-1.2
### Impact `DDFFileParser` and `DefaultDDFFileValidator` (and so `ObjectLoader`) are vulnerable to [XXE Attacks](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing). ...
maven/org.eclipse.leshan:leshan-core>=2.0.0-M1<2.0.0-M13
maven/org.eclipse.leshan:leshan-core<1.5.0
Eclipse Leshan<1.5.0
Eclipse Leshan=2.0.0-milestone1
Eclipse Leshan=2.0.0-milestone10
Eclipse Leshan=2.0.0-milestone11
and 9 more
Eclipse Openj9 is vulnerable to a buffer overflow, caused by improper bounds checking by the getCachedUTFString() function. By using specially crafted input, a local authenticated attacker could overf...
Eclipse Openj9<0.38.0
IBM Cloud Pak for Business Automation<=V23.0.1
IBM Cloud Pak for Business Automation<=V21.0.3 - V21.0.3-IF022
IBM Cloud Pak for Business Automation<=V22.0.2 - V22.0.2-IF006 and later fixesV22.0.1 - V22.0.1-IF006 and later fixesV21.0.2 - V21.0.2-IF012 and later fixesV21.0.1 - V21.0.1-IF007 and later fixesV20.0.1 - V20.0.3 and later fixesV19.0.1 - V19.0.3 and later fixesV18.0.0 - V18.0.2 and later fixes
Eclipse Jetty could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw during nonstandard cookie parsing. By sending a specially crafted request to tamper with the...
maven/org.eclipse.jetty:jetty-server<9.4.51.v20230217
maven/org.eclipse.jetty:jetty-server>=12.0.0alpha0<12.0.0.beta0
maven/org.eclipse.jetty:jetty-server>=11.0.0<11.0.14
maven/org.eclipse.jetty:jetty-server>=10.0.0<10.0.14
Eclipse Jetty<9.4.51
Eclipse Jetty>=10.0.0<10.0.14
and 18 more
### Impact Servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when t...
maven/org.eclipse.jetty:jetty-server<9.4.51.v20230217
maven/org.eclipse.jetty:jetty-server>=11.0.0<11.0.14
maven/org.eclipse.jetty:jetty-server>=10.0.0<10.0.14
Eclipse Jetty<9.4.51
Eclipse Jetty>=10.0.0<10.0.14
Eclipse Jetty>=11.0.0<11.0.14
and 5 more
In Eclipse BIRT, starting from version 2.6.2, the default configuration allowed to retrieve a report from the same host using an absolute HTTP path for the report parameter (e.g. __report=http://xyz.c...
Eclipse Business Intelligence And Reporting Tools>=2.6.2<4.13.0
### Summary When running vertx web applications that serve files using `StaticHandler` on Windows Operating Systems and Windows File Systems, if the mount point is a wildcard (`*`) then an attacker c...
maven/io.vertx:vertx-web>=4.0.0<4.3.8
redhat/vertx-web<4.3.8
Eclipse Vert.x-Web>=4.0.0<4.3.8
IBM Cloud Pak for Business Automation<=V23.0.1 - V23.0.1-IF001
IBM Cloud Pak for Business Automation<=V21.0.3 - V21.0.3-IF023
IBM Cloud Pak for Business Automation<=V22.0.2 - V22.0.2-IF006 and later fixes V22.0.1 - V22.0.1-IF006 and later fixes V21.0.2 - V21.0.2-IF012 and later fixes V21.0.1 - V21.0.1-IF007 and later fixes V20.0.1 - V20.0.3 and later fixes V19.0.1 - V19.0.3 and later fixes V18.0.0 - V18.0.2 and later fixes
Deeplearning4J is a suite of tools for deploying and training deep learning models using the JVM. Packages org.deeplearning4j:dl4j-examples and org.deeplearning4j:platform-tests through version 1.0.0-...
Eclipse Deeplearning4j<1.0.0
Eclipse Deeplearning4j=1.0.0-beta5
Eclipse Deeplearning4j=1.0.0-beta6
Eclipse Deeplearning4j=1.0.0-beta7
Eclipse Deeplearning4j=1.0.0-milestone1
Eclipse Deeplearning4j=1.0.0-milestone1.1
and 1 more
Eclipse Californium is a Java implementation of RFC7252 - Constrained Application Protocol for IoT Cloud services. In versions prior to 3.7.0, and 2.7.4, Californium is vulnerable to a Denial of Servi...
Eclipse Californium<2.7.4
Eclipse Californium>=3.0.0<3.7.0
Eclipse Openj9 could allow a remote attacker to bypass security restrictions, caused by improper runtime type check by the interface calls. By sending a specially-crafted request using bytecode, an at...
Eclipse Openj9<0.35.0
IBM Cloud Pak for Business Automation<=V22.0.2
IBM Cloud Pak for Business Automation<=V21.0.3 - V21.0.3-IF016
IBM Cloud Pak for Business Automation<=V22.0.1 - V22.0.1-IF006 and later fixes V21.0.2 - V21.0.2-IF012 and later fixesV21.0.1 - V21.0.1-IF007 and later fixesV20.0.1 - V20.0.3 and later fixesV19.0.1 - V19.0.3 and later fixesV18.0.0 - V18.0.2 and later fixes
The package org.eclipse.milo:sdk-server before 0.6.8 are vulnerable to Denial of Service (DoS) when bypassing the limitations for excessive memory consumption by sending multiple CloseSession requests...
Eclipse Milo<0.6.8
In Eclipse Sphinx™ before version 0.13.1, Apache Xerces XML Parser was used without disabling processing of referenced external entities allowing the injection of arbitrary definitions which is able t...
Eclipse Sphinx>=0.7.0<0.13.1
In Eclipse Californium version 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS resumption handshake falls back to a DTLS full handshake on a parameter mismatch without using a HelloVerifyRequest. Especially, if...
Eclipse Californium>=2.0.0<=2.7.2
Eclipse Californium>=3.0.0<=3.5.0
In versions prior to 3.3.2, Hudson exhibits a flaw in its XML API processing that can allow access to potentially sensitive information on the filesystem of the Hudson master server.
maven/org.jvnet.hudson.main:hudson-core<3.3.2
Eclipse Hudson<3.2.2
In Eclipse p2, installable units are able to alter the Eclipse Platform installation and the local machine via touchpoints during installation. Those touchpoints can, for example, alter the command-li...
Eclipse Equinox P2>=1.0.0
In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external D...
Eclipse Lyo>=1.0.0<=4.1.0
### Description Invalid HTTP/2 requests (for example, invalid URIs) are incorrectly handled by writing a blocking error response directly from the selector thread. If the client manages to exhaust the...
redhat/jenkins<0:2.401.1.1686831596-3.el8
redhat/jenkins<0:2.361.1.1672840472-1.el8
redhat/jenkins<0:2.361.1.1675668150-1.el8
maven/org.eclipse.jetty.http2:http2-server>=11.0.0<11.0.10
maven/org.eclipse.jetty.http2:http2-server>=10.0.0<10.0.10
maven/org.eclipse.jetty.http2:http2-server<9.4.47
and 14 more
Eclipse Jetty is vulnerable to a denial of service, caused by a flaw with SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths. By sending a specially-...
Eclipse Jetty>=10.0.0<=10.0.9
Eclipse Jetty>=11.0.0<=11.0.9
IBM Cognos Command Center<=10.2.4.1
Eclipse Jetty could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw in the HttpURI class. By sending a specially-crafted request, an attacker could exploit this...
Eclipse Jetty<9.4.46
Eclipse Jetty>=10.0.0<10.0.9
Eclipse Jetty>=11.0.0<=11.0.9
Debian Debian Linux=10.0
Debian Debian Linux=11.0
Netapp Element Plug-in For Vcenter Server
and 6 more
Eclipse CycloneDDS versions prior to 0.8.0 are vulnerable to a write-what-where condition, which may allow an attacker to write arbitrary values in the XML parser.
Eclipse CycloneDDS<0.8.0
Eclipse CycloneDDS<0.8.0
A flaw was found in LemMinX in versions prior to 0.19.0. Cache poisoning of external schema files due to directory traversal.
Eclipse Lemminx<0.19.0
A flaw was found in LemMinX in versions prior to 0.19.0. Insecure redirect could allow unauthorized access to sensitive information locally if LemMinX is run under a privileged user.
Eclipse Lemminx<0.19.0
In Eclipse Wakaama, ever since its inception until 2021-01-14, the CoAP parsing code does not properly sanitize network-received data.
Eclipse Wakaama=1.0
In versions 1.6 to 2.0.11 of Eclipse Mosquitto, an MQTT v5 client connecting with a large number of user-property properties could cause excessive CPU usage, leading to a loss of performance and possi...
Eclipse Mosquitto>=1.6<=2.0.11
debian/mosquitto<=2.0.11-1
In versions of the @theia/plugin-ext component of Eclipse Theia prior to 1.18.0, Webview contents can be hijacked via postMessage().
Eclipse Theia<1.18.0
In versions prior to 1.1 of the Eclipse Paho MQTT C Client, the client does not check rem_len size in readpacket.
Eclipse Paho Mqtt C\/c\+\+ Client<1.1.0
Eclipse Openj9 could allow a remote attacker to gain elevated privileges on the system, caused by not throwing IllegalAccessError for MethodHandles that invoke inaccessible interface methods. By persu...
redhat/java<1.8.0-ibm-1:1.8.0.7.0-1jpp.1.el7
redhat/java<1.7.1-ibm-1:1.7.1.5.0-1jpp.1.el7
redhat/java<1.8.0-ibm-1:1.8.0.7.0-1.el8_5
Eclipse Openj9<0.29.0
IBM Cognos Analytics<=12.0.0-12.0.1
IBM Cognos Analytics<=11.2.0-11.2.4 FP2
and 1 more
The build of some language stacks of Eclipse Che version 6 includes pulling some binaries from an unsecured HTTP endpoint. As a consequence the builds of such stacks are vulnerable to MITM attacks tha...
Eclipse Che>=6.0.0<7.0.0
In all released versions of Eclipse Equinox, at least until version 4.21 (September 2021), installation can be vulnerable to man-in-the-middle attack if using p2 repos that are HTTP; that can then be ...
Eclipse Equinox<4.21
Eclipse Equinox=4.21
Eclipse Keti is a service that was designed to protect RESTfuls API using Attribute Based Access Control (ABAC). In Keti a sandbox escape vulnerability may lead to post-authentication Remote Code exec...
Eclipse Keti
Eclipse Keti is a service that was designed to protect RESTfuls API using Attribute Based Access Control (ABAC). In Keti a user able to create Policy Sets can run arbitrary code by sending malicious G...
Eclipse Keti
Eclipse Theia>=0.1.1<=0.2.0
Eclipse Theia>=0.3.9<=1.8.1
In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then exis...
Eclipse Mosquitto>=2.0.0<=2.0.11
Fedoraproject Fedora=34
Fedoraproject Fedora=35
debian/mosquitto<=2.0.11-1<=2.0.11-1.2

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203