Vulnerabilities > Eclipse > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-04-21 | CVE-2021-28167 | Missing Initialization of Resource vulnerability in Eclipse Openj9 In Eclipse Openj9 to version 0.25.0, usage of the jdk.internal.reflect.ConstantPool API causes the JVM in some cases to pre-resolve certain constant pool entries. | 6.5 |
| 2021-04-07 | CVE-2021-28166 | NULL Pointer Dereference vulnerability in Eclipse Mosquitto In Eclipse Mosquitto version 2.0.0 to 2.0.9, if an authenticated client that had connected with MQTT v5 sent a crafted CONNACK message to the broker, a NULL pointer dereference would occur. | 6.5 |
| 2021-04-01 | CVE-2021-28164 | In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. | 5.3 |
| 2021-03-12 | CVE-2021-28162 | Inclusion of Functionality from Untrusted Control Sphere vulnerability in Eclipse Theia In Eclipse Theia versions up to and including 0.16.0, in the notification messages there is no HTML escaping, so Javascript code can run. | 6.1 |
| 2021-03-12 | CVE-2021-28161 | Cross-site Scripting vulnerability in Eclipse Theia In Eclipse Theia versions up to and including 1.8.0, in the debug console there is no HTML escaping, so arbitrary Javascript code can be injected. | 6.1 |
| 2021-02-26 | CVE-2020-27223 | Resource Exhaustion vulnerability in multiple products In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. | 5.3 |
| 2021-01-14 | CVE-2020-27219 | Cross-site Scripting vulnerability in Eclipse Hawkbit In all version of Eclipse Hawkbit prior to 0.3.0M7, the HTTP 404 (Not Found) JSON response body returned by the REST API may contain unsafe characters within the path attribute. | 6.1 |
| 2020-11-28 | CVE-2020-27218 | In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. | 4.8 |
| 2020-07-15 | CVE-2019-17639 | Type Confusion vulnerability in Eclipse Openj9 In Eclipse OpenJ9 prior to version 0.21 on Power platforms, calling the System.arraycopy method with a length longer than the length of the source or destination array can, in certain specially crafted code patterns, cause the current method to return prematurely with an undefined return value. | 5.3 |
| 2020-04-03 | CVE-2020-10689 | Unspecified vulnerability in Eclipse CHE A flaw was found in the Eclipse Che up to version 7.8.x, where it did not properly restrict access to workspace pods. low complexity eclipse | 6.8 |