Vulnerabilities > Eclipse
|2021-07-15||CVE-2021-34429|| Information Exposure vulnerability in Eclipse Jetty |
For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints.
| 5.0 |
|2021-07-08||CVE-2021-34430|| Inadequate Encryption Strength vulnerability in Eclipse Tinydtls 0.8.1/0.8.2/0.9 |
Eclipse TinyDTLS through 0.9-rc1 relies on the rand function in the C library, which makes it easier for remote attackers to compute the master key and then decrypt DTLS traffic.
| 5.0 |
|2021-06-25||CVE-2021-34427|| Improper Input Validation vulnerability in Eclipse Business Intelligence and Reporting Tools |
In Eclipse BIRT versions 4.8.0 and earlier, an attacker can use query parameters to create a JSP file which is accessible from remote (current BIRT viewer dir) to inject JSP code into the running instance.
| 7.5 |
|2021-06-22||CVE-2021-34428|| Insufficient Session Expiration vulnerability in Eclipse Jetty |
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager.
| 3.6 |
|2021-06-09||CVE-2021-28169|| Information Exposure vulnerability in multiple products |
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory.
| 5.0 |
|2021-06-02||CVE-2020-6950|| Path Traversal vulnerability in Eclipse Mojarra |
Directory traversal in Eclipse Mojarra before 2.3.14 allows attackers to read arbitrary files via the loc parameter or con parameter.
| 5.0 |
|2021-05-26||CVE-2021-28170|| Improper Input Validation vulnerability in Eclipse Jakarta Expression Language Implementation |
In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.
| 5.0 |
|2021-04-22||CVE-2021-28168|| Incorrect Permission Assignment for Critical Resource vulnerability in Eclipse Jersey |
Eclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability.
| 2.1 |
|2021-04-21||CVE-2021-28167|| Missing Initialization of Resource vulnerability in Eclipse Openj9 |
In Eclipse Openj9 to version 0.25.0, usage of the jdk.internal.reflect.ConstantPool API causes the JVM in some cases to pre-resolve certain constant pool entries.
| 6.4 |
|2021-04-07||CVE-2021-28166|| Null Pointer Dereference vulnerability in Eclipse Mosquitto |
In Eclipse Mosquitto version 2.0.0 to 2.0.9, if an authenticated client that had connected with MQTT v5 sent a crafted CONNACK message to the broker, a NULL pointer dereference would occur.
| 4.0 |