Vulnerabilities > Eclipse
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-06-09 | CVE-2021-28169 | For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. | 5.3 |
| 2021-06-02 | CVE-2020-6950 | Path Traversal vulnerability in multiple products Directory traversal in Eclipse Mojarra before 2.3.14 allows attackers to read arbitrary files via the loc parameter or con parameter. | 6.5 |
| 2021-05-26 | CVE-2021-28170 | Expression Language Injection vulnerability in multiple products In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid. | 5.3 |
| 2021-04-22 | CVE-2021-28168 | Exposure of Resource to Wrong Sphere vulnerability in multiple products Eclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability. | 5.5 |
| 2021-04-21 | CVE-2021-28167 | Missing Initialization of Resource vulnerability in Eclipse Openj9 In Eclipse Openj9 to version 0.25.0, usage of the jdk.internal.reflect.ConstantPool API causes the JVM in some cases to pre-resolve certain constant pool entries. | 6.5 |
| 2021-04-07 | CVE-2021-28166 | NULL Pointer Dereference vulnerability in Eclipse Mosquitto In Eclipse Mosquitto version 2.0.0 to 2.0.9, if an authenticated client that had connected with MQTT v5 sent a crafted CONNACK message to the broker, a NULL pointer dereference would occur. | 6.5 |
| 2021-04-01 | CVE-2021-28165 | Improper Handling of Exceptional Conditions vulnerability in multiple products In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. | 7.5 |
| 2021-04-01 | CVE-2021-28164 | In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. | 5.3 |
| 2021-04-01 | CVE-2021-28163 | Link Following vulnerability in multiple products In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory. | 2.7 |
| 2021-03-12 | CVE-2021-28162 | Inclusion of Functionality from Untrusted Control Sphere vulnerability in Eclipse Theia In Eclipse Theia versions up to and including 0.16.0, in the notification messages there is no HTML escaping, so Javascript code can run. | 6.1 |