Vulnerabilities > Eclipse
|2021-01-14||CVE-2020-27220|| Missing Authorization vulnerability in Eclipse Hono |
The Eclipse Hono AMQP and MQTT protocol adapters do not check whether an authenticated gateway device is authorized to receive command & control messages when it has subscribed only to commands for a specific device.
| 9.0 |
|2021-01-14||CVE-2020-27219|| Cross-Site Scripting vulnerability in Eclipse Hawkbit |
In all version of Eclipse Hawkbit prior to 0.3.0M7, the HTTP 404 (Not Found) JSON response body returned by the REST API may contain unsafe characters within the path attribute.
| 4.3 |
|2020-12-14||CVE-2020-14368|| Cross-Site Request Forgery (CSRF) vulnerability in Eclipse CHE |
A flaw was found in Eclipse Che in versions prior to 7.14.0 that impacts CodeReady Workspaces.
| 4.6 |
|2020-11-28||CVE-2020-27218|| Unspecified vulnerability in Eclipse Jetty |
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body.
| 5.8 |
|2020-11-13||CVE-2020-27217|| Unspecified vulnerability in Eclipse Hono 1.3.0/1.4.0 |
In Eclipse Hono version 1.3.0 and 1.4.0 the AMQP protocol adapter does not verify the size of AMQP messages received from devices.
| 5.0 |
|2020-10-23||CVE-2020-27216||In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system.|| 4.4 |
|2020-10-15||CVE-2019-17640|| Path Traversal vulnerability in Eclipse Vert.X |
In Eclipse Vert.x 3.4.x up to 3.9.4, 4.0.0.milestone1, 4.0.0.milestone2, 4.0.0.milestone3, 4.0.0.milestone4, 4.0.0.milestone5, 4.0.0.Beta1, 4.0.0.Beta2, and 4.0.0.Beta3, StaticHandler doesn't correctly processes back slashes on Windows Operating systems, allowing, escape the webroot folder to the current working directory.
| 7.5 |
|2020-07-15||CVE-2019-17639|| Type Confusion vulnerability in Eclipse Openj9 |
In Eclipse OpenJ9 prior to version 0.21 on Power platforms, calling the System.arraycopy method with a length longer than the length of the source or destination array can, in certain specially crafted code patterns, cause the current method to return prematurely with an undefined return value.
| 5.0 |
|2020-07-15||CVE-2019-17637|| XXE vulnerability in Eclipse web Tools Platform 3.16/3.17/3.18 |
In all versions of Eclipse Web Tools Platform through release 3.18 (2020-06), XML and DTD files referring to external entities could be exploited to send the contents of local files to a remote server when edited or validated, even when external entity resolution is disabled in the user preferences.
| 5.8 |
|2020-07-09||CVE-2019-17638|| Operation ON A Resource After Expiration OR Release vulnerability in Eclipse Jetty 9.4.27/9.4.28/9.4.29 |
In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error.
| 7.5 |