CVE Tools

the eclipse foundation

OSS Librariesoss-project

55

Cumulative CVEs

15

Monthly snapshots

#59

Peak rank

Top products

eclipse jetty3 eclipse equinox p21 eclipse lyo1

Latest CVEs

The 15 most recently published vulnerabilities affecting the eclipse foundation.

CVE-2023-0100In Eclipse BIRT, starting from version 2.6.2, the default configuration allowed to retrieve a report from the same host using an absolute HTTP path for the report parameter (e.g. __report=http://xy...8.8Mar 15, 2023
CVE-2022-2712In Eclipse GlassFish versions 5.1.0 to 6.2.5, there is a vulnerability in relative path traversal because it does not filter request path starting with './'. Successful exploitation could allow an ...6.5Jan 27, 2023
CVE-2022-3676In Eclipse Openj9 before version 0.35.0, interface calls can be inlined without a runtime type check. Malicious bytecode could make use of this inlining to access or modify memory via an incompatib...6.5Oct 24, 2022
CVE-2022-2838In Eclipse Sphinx™ before version 0.13.1, Apache Xerces XML Parser was used without disabling processing of referenced external entities allowing the injection of arbitrary definitions which is a...5.3Aug 16, 2022
CVE-2022-2576In Eclipse Californium version 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS resumption handshake falls back to a DTLS full handshake on a parameter mismatch without using a HelloVerifyRequest. Especially,...7.5Jul 29, 2022
CVE-2021-41037In Eclipse p2, installable units are able to alter the Eclipse Platform installation and the local machine via touchpoints during installation. Those touchpoints can, for example, alter the command...10.0Jul 8, 2022
CVE-2021-41042In Eclipse Lyo versions 1.0.0 to 4.1.0, a TransformerFactory is initialized with the defaults that do not restrict DTD loading when working with RDF/XML. This allows an attacker to cause an externa...5.3Jul 7, 2022
CVE-2022-2191In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths.7.5Jul 7, 2022
CVE-2022-2047In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly ...2.7Jul 7, 2022
CVE-2022-2048In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associa...7.5Jul 7, 2022
CVE-2021-41041In Eclipse Openj9 before version 0.32.0, Java 8 & 11 fail to throw the exception captured during bytecode verification when verification is triggered by a MethodHandle invocation, allowing unverifi...5.3Apr 27, 2022
CVE-2021-41039In versions 1.6 to 2.0.11 of Eclipse Mosquitto, an MQTT v5 client connecting with a large number of user-property properties could cause excessive CPU usage, leading to a loss of performance and po...7.5Dec 1, 2021
CVE-2021-41038In versions of the @theia/plugin-ext component of Eclipse Theia prior to 1.18.0, Webview contents can be hijacked via postMessage().6.1Nov 10, 2021
CVE-2021-41036In versions prior to 1.1 of the Eclipse Paho MQTT C Client, the client does not check rem_len size in readpacket.9.8Nov 2, 2021
CVE-2021-41035In Eclipse Openj9 before version 0.29.0, the JVM does not throw IllegalAccessError for MethodHandles that invoke inaccessible interface methods.9.8Oct 25, 2021