Vulnerabilities (CVE)

Vendor filter

Eclipse Subscribe

Filter

55 total CVE
CVE Vendors Products Updated CVSS
CVE-2019-11778 1 Eclipse 1 Mosquitto 2019-10-09 5.5
If an MQTT v5 client connects to Eclipse Mosquitto versions 1.6.0 to 1.6.4 inclusive, sets a last will and testament, sets a will delay interval, sets a session expiry interval, and the will delay interval is set longer than the session expiry...
CVE-2019-11777 1 Eclipse 1 Paho Java Client 2019-10-09 5.0
In the Eclipse Paho Java client library version 1.2.0, when connecting to an MQTT server using TLS and setting a host name verifier, the result of that verification is not checked. This could allow one MQTT server to impersonate another and...
CVE-2019-11774 1 Eclipse 1 Omr 2019-10-09 5.8
Prior to 0.1, all builds of Eclipse OMR contain a bug where the loop versioner may fail to privatize a value that is pulled out of the loop by versioning - for example if there is a condition that is moved out of the loop that reads a field we...
CVE-2019-11773 1 Eclipse 1 Omr 2019-10-09 4.6
Prior to 0.1, AIX builds of Eclipse OMR contain unused RPATHs which may facilitate code injection and privilege elevation by local users.
CVE-2019-11771 1 Eclipse 1 Openj9 2019-10-09 4.6
AIX builds of Eclipse OpenJ9 before 0.15.0 contain unused RPATHs which may facilitate code injection and privilege elevation by local users.
CVE-2019-10248 1 Eclipse 1 Vorto 2019-10-09 6.8
Eclipse Vorto versions prior to 0.11 resolved Maven build artifacts for the Xtext project over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of...
CVE-2019-10246 1 Eclipse 1 Jetty 2019-10-09 5.0
In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of...
CVE-2019-10244 1 Eclipse 1 Kura 2019-10-09 5.0
In Eclipse Kura versions up to 4.0.0, the Web UI package and component services, the Artemis simple Mqtt component and the emulator position service (not part of the device distribution) could potentially be target of XXE attack due to an...
CVE-2019-10243 1 Eclipse 1 Kura 2019-10-09 5.0
In Eclipse Kura versions up to 4.0.0, Kura exposes the underlying Ui Web server version in its replies. This can be used as a hint by an attacker to specifically craft attacks to the web server run by Kura.
CVE-2019-10242 1 Eclipse 1 Kura 2019-10-09 5.0
In Eclipse Kura versions up to 4.0.0, the SkinServlet did not checked the path passed during servlet call, potentially allowing path traversal in get requests for a limited number of file types.
CVE-2019-10240 1 Eclipse 1 Hawkbit 2019-10-09 6.8
Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts...
CVE-2018-12551 1 Eclipse 1 Mosquitto 2019-10-09 N/A
When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use a password file for authentication, any malformed data in the password file will be treated as valid. This typically means that the malformed data becomes a username and...
CVE-2018-12550 1 Eclipse 1 Mosquitto 2019-10-09 6.8
When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use an ACL file, and that ACL file is empty, or contains only comments or blank lines, then Mosquitto will treat this as though no ACL file has been defined and use a...
CVE-2018-12548 1 Eclipse 1 Openj9 2019-10-09 7.5
In OpenJDK + Eclipse OpenJ9 version 0.11.0 builds, the public jdk.crypto.jniprovider.NativeCrypto class contains public static natives which accept pointer values that are dereferenced in the native code.
CVE-2018-12546 1 Eclipse 1 Mosquitto 2019-10-09 N/A
In Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) when a client publishes a retained message to a topic, then has its access to that topic revoked, the retained message will still be published to clients that subscribe to that topic in the...
CVE-2018-12545 2 Eclipse, Fedoraproject 2 Jetty, Fedora 2019-10-09 5.0
In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due...
CVE-2018-12544 1 Eclipse 1 Vert.x 2019-10-09 7.5
In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Eclipse Vert.x OpenAPI XML...
CVE-2018-12543 1 Eclipse 1 Mosquitto 2019-10-09 5.0
In Eclipse Mosquitto versions 1.5 to 1.5.2 inclusive, if a message is published to Mosquitto that has a topic starting with $, but that is not $SYS, e.g. $test/test, then an assert is triggered that should otherwise not be reachable and Mosquitto...
CVE-2018-12541 1 Eclipse 1 Vert.x 2019-10-09 4.0
In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the WebSocket HTTP upgrade implementation buffers the full http request before doing the handshake, holding the entire request body in memory. There should be a reasonnable limit (8192 bytes)...
CVE-2018-12540 1 Eclipse 1 Vert.x 2019-10-09 6.8
In version from 3.0.0 to 3.5.2 of Eclipse Vert.x, the CSRFHandler do not assert that the XSRF Cookie matches the returned XSRF header/form parameter. This allows replay attacks with previously issued tokens which are not expired yet.