Vulnerabilities > Eclipse > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-07-07 | CVE-2021-41042 | XXE vulnerability in Eclipse LYO 1.0.0/4.1.0 In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. | 5.3 |
| 2022-04-27 | CVE-2021-41041 | Unchecked Return Value vulnerability in multiple products In Eclipse Openj9 before version 0.32.0, Java 8 & 11 fail to throw the exception captured during bytecode verification when verification is triggered by a MethodHandle invocation, allowing unverified methods to be invoked using MethodHandles. | 5.3 |
| 2022-02-18 | CVE-2022-0672 | Information Exposure vulnerability in Eclipse Lemminx A flaw was found in LemMinX in versions prior to 0.19.0. | 5.5 |
| 2022-02-18 | CVE-2022-0673 | Path Traversal vulnerability in Eclipse Lemminx A flaw was found in LemMinX in versions prior to 0.19.0. | 6.5 |
| 2021-11-10 | CVE-2021-41038 | Unspecified vulnerability in Eclipse Theia In versions of the @theia/plugin-ext component of Eclipse Theia prior to 1.18.0, Webview contents can be hijacked via postMessage(). | 6.1 |
| 2021-08-30 | CVE-2021-34434 | Incorrect Authorization vulnerability in multiple products In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then existing subscriptions for that client are not revoked. | 5.3 |
| 2021-07-22 | CVE-2021-34431 | Memory Leak vulnerability in Eclipse Mosquitto In Eclipse Mosquitto version 1.6 to 2.0.10, if an authenticated client that had connected with MQTT v5 sent a crafted CONNECT message to the broker a memory leak would occur, which could be used to provide a DoS attack against the broker. | 6.5 |
| 2021-07-15 | CVE-2021-34429 | For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. | 5.3 |
| 2021-06-09 | CVE-2021-28169 | For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. | 5.3 |
| 2021-06-02 | CVE-2020-6950 | Path Traversal vulnerability in multiple products Directory traversal in Eclipse Mojarra before 2.3.14 allows attackers to read arbitrary files via the loc parameter or con parameter. | 6.5 |