Filtered by vendor Eclipse
Subscriptions
Total
188 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-2597 | 1 Eclipse | 1 Openj9 | 2024-11-21 | 7 High |
| In Eclipse Openj9 before version 0.38.0, in the implementation of the shared cache (which is enabled by default in OpenJ9 builds) the size of a string is not properly checked against the size of the buffer. | ||||
| CVE-2023-28366 | 2 Eclipse, Redhat | 3 Mosquitto, Satellite, Satellite Capsule | 2024-11-21 | 7.5 High |
| The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN from the libc send function. | ||||
| CVE-2022-3676 | 1 Eclipse | 1 Openj9 | 2024-11-21 | 6.5 Medium |
| In Eclipse Openj9 before version 0.35.0, interface calls can be inlined without a runtime type check. Malicious bytecode could make use of this inlining to access or modify memory via an incompatible type. | ||||
| CVE-2022-39368 | 2 Eclipse, Redhat | 3 Californium, Camel K, Camel Spring Boot | 2024-11-21 | 8.2 High |
| Eclipse Californium is a Java implementation of RFC7252 - Constrained Application Protocol for IoT Cloud services. In versions prior to 3.7.0, and 2.7.4, Californium is vulnerable to a Denial of Service. Failing handshakes don't cleanup counters for throttling, causing the threshold to be reached without being released again. This results in permanently dropping records. The issue was reported for certificate based handshakes, but may also affect PSK based handshakes. It generally affects client and server as well. This issue is patched in version 3.7.0 and 2.7.4. There are no known workarounds. main: commit 726bac57659410da463dcf404b3e79a7312ac0b9 2.7.x: commit 5648a0c27c2c2667c98419254557a14bac2b1f3f | ||||
| CVE-2022-36022 | 1 Eclipse | 1 Deeplearning4j | 2024-11-21 | 5.3 Medium |
| Deeplearning4J is a suite of tools for deploying and training deep learning models using the JVM. Packages org.deeplearning4j:dl4j-examples and org.deeplearning4j:platform-tests through version 1.0.0-M2.1 may use some unclaimed S3 buckets in tests in examples. This is likely affect people who use some older NLP examples that reference an old S3 bucket. The problem has been patched. Users should upgrade to snapshots as Deeplearning4J plan to publish a release with the fix at a later date. As a workaround, download a word2vec google news vector from a new source using git lfs from here. | ||||
| CVE-2022-2838 | 1 Eclipse | 1 Sphinx | 2024-11-21 | 5.3 Medium |
| In Eclipse Sphinxâ„¢ before version 0.13.1, Apache Xerces XML Parser was used without disabling processing of referenced external entities allowing the injection of arbitrary definitions which is able to access local files and expose their contents via HTTP requests. | ||||
| CVE-2022-2712 | 1 Eclipse | 1 Glassfish | 2024-11-21 | 6.5 Medium |
| In Eclipse GlassFish versions 5.1.0 to 6.2.5, there is a vulnerability in relative path traversal because it does not filter request path starting with './'. Successful exploitation could allow an remote unauthenticated attacker to access critical data, such as configuration files and deployed application source code. | ||||
| CVE-2022-2576 | 1 Eclipse | 1 Californium | 2024-11-21 | 7.5 High |
| In Eclipse Californium version 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS resumption handshake falls back to a DTLS full handshake on a parameter mismatch without using a HelloVerifyRequest. Especially, if used with certificate based cipher suites, that results in message amplification (DDoS other peers) and high CPU load (DoS own peer). The misbehavior occurs only with DTLS_VERIFY_PEERS_ON_RESUMPTION_THRESHOLD values larger than 0. | ||||
| CVE-2022-2191 | 2 Eclipse, Redhat | 2 Jetty, Amq Streams | 2024-11-21 | 7.5 High |
| In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths. | ||||
| CVE-2022-2048 | 5 Debian, Eclipse, Jenkins and 2 more | 12 Debian Linux, Jetty, Jenkins and 9 more | 2024-11-21 | 7.5 High |
| In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests. | ||||
| CVE-2022-2047 | 4 Debian, Eclipse, Netapp and 1 more | 9 Debian Linux, Jetty, Element Plug-in For Vcenter Server and 6 more | 2024-11-21 | 2.7 Low |
| In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario. | ||||
| CVE-2022-25897 | 2 Eclipse, Redhat | 2 Milo, Camel Spring Boot | 2024-11-21 | 5.9 Medium |
| The package org.eclipse.milo:sdk-server before 0.6.8 are vulnerable to Denial of Service (DoS) when bypassing the limitations for excessive memory consumption by sending multiple CloseSession requests with the deleteSubscription parameter equal to False. | ||||
| CVE-2022-0673 | 1 Eclipse | 1 Lemminx | 2024-11-21 | 6.5 Medium |
| A flaw was found in LemMinX in versions prior to 0.19.0. Cache poisoning of external schema files due to directory traversal. | ||||
| CVE-2022-0672 | 1 Eclipse | 1 Lemminx | 2024-11-21 | 5.5 Medium |
| A flaw was found in LemMinX in versions prior to 0.19.0. Insecure redirect could allow unauthorized access to sensitive information locally if LemMinX is run under a privileged user. | ||||
| CVE-2021-41042 | 1 Eclipse | 1 Lyo | 2024-11-21 | 5.3 Medium |
| In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an external DTD to be retrieved. | ||||
| CVE-2021-41041 | 3 Eclipse, Oracle, Redhat | 4 Openj9, Java Se, Enterprise Linux and 1 more | 2024-11-21 | 5.3 Medium |
| In Eclipse Openj9 before version 0.32.0, Java 8 & 11 fail to throw the exception captured during bytecode verification when verification is triggered by a MethodHandle invocation, allowing unverified methods to be invoked using MethodHandles. | ||||
| CVE-2021-41040 | 1 Eclipse | 1 Wakaama | 2024-11-21 | 7.5 High |
| In Eclipse Wakaama, ever since its inception until 2021-01-14, the CoAP parsing code does not properly sanitize network-received data. | ||||
| CVE-2021-41039 | 1 Eclipse | 1 Mosquitto | 2024-11-21 | 7.5 High |
| In versions 1.6 to 2.0.11 of Eclipse Mosquitto, an MQTT v5 client connecting with a large number of user-property properties could cause excessive CPU usage, leading to a loss of performance and possible denial of service. | ||||
| CVE-2021-41038 | 1 Eclipse | 1 Theia | 2024-11-21 | 6.1 Medium |
| In versions of the @theia/plugin-ext component of Eclipse Theia prior to 1.18.0, Webview contents can be hijacked via postMessage(). | ||||
| CVE-2021-41037 | 1 Eclipse | 1 Equinox P2 | 2024-11-21 | 10 Critical |
| In Eclipse p2, installable units are able to alter the Eclipse Platform installation and the local machine via touchpoints during installation. Those touchpoints can, for example, alter the command-line used to start the application, injecting things like agent or other settings that usually require particular attention in term of security. Although p2 has built-in strategies to ensure artifacts are signed and then to help establish trust, there is no such strategy for the metadata part that does configure such touchpoints. As a result, it's possible to install a unit that will run malicious code during installation without user receiving any warning about this installation step being risky when coming from untrusted source. | ||||