Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Eclipse Subscribe
Total 141 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-12548 1 Eclipse 1 Openj9 2019-10-09 7.5 HIGH 9.8 CRITICAL
In OpenJDK + Eclipse OpenJ9 version 0.11.0 builds, the public jdk.crypto.jniprovider.NativeCrypto class contains public static natives which accept pointer values that are dereferenced in the native code.
CVE-2018-12539 2 Eclipse, Oracle 2 Openj9, Enterprise Manager Base Platform 2019-10-09 4.6 MEDIUM 7.8 HIGH
In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code. Attach API is enabled by default on Windows, Linux and AIX JVMs and can be disabled using the command line option -Dcom.ibm.tools.attach.enable=no.
CVE-2018-12537 1 Eclipse 1 Vert.x 2019-10-09 5.0 MEDIUM 5.3 MEDIUM
In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.
CVE-2017-7651 2 Debian, Eclipse 2 Debian Linux, Mosquitto 2019-10-09 5.0 MEDIUM 7.5 HIGH
In Eclipse Mosquitto 1.4.14, a user can shutdown the Mosquitto server simply by filling the RAM memory with a lot of connections with large payload. This can be done without authentications if occur in connection phase of MQTT protocol.
CVE-2017-7652 2 Debian, Eclipse 2 Debian Linux, Mosquitto 2019-10-09 6.0 MEDIUM 7.5 HIGH
In Eclipse Mosquitto 1.4.14, if a Mosquitto instance is set running with a configuration file, then sending a HUP signal to server triggers the configuration to be reloaded from disk. If there are lots of clients connected so that there are no more file descriptors/sockets available (default limit typically 1024 file descriptors on Linux), then opening the configuration file will fail.
CVE-2017-7654 2 Debian, Eclipse 2 Debian Linux, Mosquitto 2019-10-02 5.0 MEDIUM 7.5 HIGH
In Eclipse Mosquitto 1.4.15 and earlier, a Memory Leak vulnerability was found within the Mosquitto Broker. Unauthenticated clients can send crafted CONNECT packets which could cause a denial of service in the Mosquitto Broker.
CVE-2017-7650 2 Debian, Eclipse 2 Debian Linux, Mosquitto 2019-10-02 4.0 MEDIUM 6.5 MEDIUM
In Mosquitto before 1.4.12, pattern based ACLs can be bypassed by clients that set their username/client id to '#' or '+'. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto.
CVE-2019-11772 1 Eclipse 1 Openj9 2019-09-02 7.5 HIGH 9.8 CRITICAL
In Eclipse OpenJ9 prior to 0.15, the String.getBytes(int, int, byte[], int) method does not verify that the provided byte array is non-null nor that the provided index is in bounds when compiled by the JIT. This allows arbitrary writes to any 32-bit address or beyond the end of a byte array within Java code run under a SecurityManager.
CVE-2017-7653 2 Debian, Eclipse 2 Debian Linux, Mosquitto 2019-06-20 3.5 LOW 5.3 MEDIUM
The Eclipse Mosquitto broker up to version 1.4.15 does not reject strings that are not valid UTF-8. A malicious client could cause other clients that do reject invalid UTF-8 strings to disconnect themselves from the broker by sending a topic string which is not valid UTF-8, and so cause a denial of service for the clients.
CVE-2018-12549 2 Eclipse, Redhat 5 Openj9, Enterprise Linux Desktop, Enterprise Linux Server and 2 more 2019-05-16 7.5 HIGH 9.8 CRITICAL
In Eclipse OpenJ9 version 0.11.0, the OpenJ9 JIT compiler may incorrectly omit a null check on the receiver object of an Unsafe call when accelerating it.
CVE-2018-12547 2 Eclipse, Redhat 5 Openj9, Enterprise Linux Desktop, Enterprise Linux Server and 2 more 2019-05-16 7.5 HIGH 9.8 CRITICAL
In Eclipse OpenJ9, prior to the 0.12.0 release, the jio_snprintf() and jio_vsnprintf() native methods ignored the length parameter. This affects existing APIs that called the functions to exceed the allocated buffer. This functions were not directly callable by non-native user code.
CVE-2017-9868 2 Debian, Eclipse 2 Debian Linux, Mosquitto 2019-03-12 2.1 LOW 5.5 MEDIUM
In Mosquitto through 1.4.12, mosquitto.db (aka the persistence file) is world readable, which allows local users to obtain sensitive MQTT topic information.
CVE-2015-2080 2 Eclipse, Fedoraproject 2 Jetty, Fedora 2019-03-08 5.0 MEDIUM 7.5 HIGH
The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak.
CVE-2018-20227 1 Eclipse 1 Rdf4j 2019-01-07 6.4 MEDIUM 7.5 HIGH
RDF4J 2.4.2 allows Directory Traversal via ../ in an entry in a ZIP archive.
CVE-2018-1000644 1 Eclipse 1 Rdf4j 2018-11-01 7.5 HIGH 10.0 CRITICAL
Eclipse RDF4j version < 2.4.0 Milestone 2 contains a XML External Entity (XXE) vulnerability in RDF4j XML parser parsing RDF files that can result in the disclosure of confidential data, denial of service, server side request forgery, port scanning. This attack appear to be exploitable via Specially crafted RDF file.
CVE-2009-4521 1 Eclipse 1 Birt 2018-10-10 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in birt-viewer/run in Eclipse Business Intelligence and Reporting Tools (BIRT) before 2.5.0, as used in KonaKart and other products, allows remote attackers to inject arbitrary web script or HTML via the __report parameter.
CVE-2018-14371 1 Eclipse 1 Mojarra 2018-09-17 5.0 MEDIUM 7.5 HIGH
The getLocalePrefix function in ResourceManager.java in Eclipse Mojarra before 2.3.7 is affected by Directory Traversal via the loc parameter. A remote attacker can download configuration files or Java bytecodes from applications.
CVE-2017-8315 1 Eclipse 1 Ide 2018-05-22 7.8 HIGH 7.5 HIGH
Eclipse XML parser for the Eclipse IDE versions 2017.2.5 and earlier was found vulnerable to an XML External Entity attack. An attacker can exploit the vulnerability by implementing malicious code on Androidmanifest.xml.
CVE-2017-7649 1 Eclipse 1 Kura 2017-09-29 10.0 HIGH 9.8 CRITICAL
The network enabled distribution of Kura before 2.1.0 takes control over the device's firewall setup but does not allow IPv6 firewall rules to be configured. Still the Equinox console port 5002 is left open, allowing to log into Kura without any user credentials over unencrypted telnet and executing commands using the Equinox "exec" command. As the process is running as "root" full control over the device can be acquired. IPv6 is also left in auto-configuration mode, accepting router advertisements automatically and assigns a MAC address based IPv6 address.
CVE-2017-7243 1 Eclipse 1 Tinydtls 2017-03-30 5.0 MEDIUM 7.5 HIGH
Eclipse tinydtls 0.8.2 for Eclipse IoT allows remote attackers to cause a denial of service (DTLS peer crash) by sending a "Change cipher spec" packet without pre-handshake.