CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-5115 – MadeYouReset HTTP/2 vulnerability
https://notcve.org/view.php?id=CVE-2025-5115
20 Aug 2025 — In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing the server to consume resources such as CPU and memory. For example, a client can open a stream and then send WINDOW_UPDATE frames with window size increment of 0, which is illegal. Per specification https://www.rfc-editor.org/rfc/rfc... • https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h • CWE-400: Uncontrolled Resource Consumption •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9408
https://notcve.org/view.php?id=CVE-2024-9408
16 Jul 2025 — In Eclipse GlassFish since version 6.2.5 it is possible to perform a Server Side Request Forgery attack in specific endpoints. • https://gitlab.eclipse.org/security/cve-assignement/-/issues/38 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10032
https://notcve.org/view.php?id=CVE-2024-10032
16 Jul 2025 — In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site scripting attacks in the Administration Console. In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site scripting attacks in the Administration Console. • https://gitlab.eclipse.org/security/cve-assignement/-/issues/42 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10031
https://notcve.org/view.php?id=CVE-2024-10031
16 Jul 2025 — In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site Scripting attacks by modifying the configuration file in the underlying operating system. In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site Scripting attacks by modifying the configuration file in the underlying operating system. • https://gitlab.eclipse.org/security/cve-assignement/-/issues/41 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10029
https://notcve.org/view.php?id=CVE-2024-10029
16 Jul 2025 — In Eclipse GlassFish version 7.0.15 is possible to perform Reflected Cross-site scripting attacks in the Administration Console. In Eclipse GlassFish version 7.0.15 is possible to perform Reflected Cross-site scripting attacks in the Administration Console. • https://gitlab.eclipse.org/security/cve-assignement/-/issues/40 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9343
https://notcve.org/view.php?id=CVE-2024-9343
16 Jul 2025 — In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site scripting attacks in the Administration Console. In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site scripting attacks in the Administration Console. • https://gitlab.eclipse.org/security/cve-assignement/-/issues/37 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9342
https://notcve.org/view.php?id=CVE-2024-9342
16 Jul 2025 — In Eclipse GlassFish version 7.0.16 or earlier it is possible to perform Login Brute Force attacks as there is no limitation in the number of failed login attempts. • https://gitlab.eclipse.org/security/cve-assignement/-/issues/33 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-4949 – XXE vulnerability in Eclipse JGit
https://notcve.org/view.php?id=CVE-2025-4949
21 May 2025 — In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues. These are all security issues fixed in the jgit-5.11.0-2.1 package on the GA medi... • https://projects.eclipse.org/projects/technology.jgit/releases/7.2.1 • CWE-611: Improper Restriction of XML External Entity Reference CWE-827: Improper Control of Document Type Definition •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-4447 – Buffer Overflow in Eclipse OpenJ9
https://notcve.org/view.php?id=CVE-2025-4447
09 May 2025 — In Eclipse OpenJ9 versions up to 0.51, when used with OpenJDK version 8 a stack based buffer overflow can be caused by modifying a file on disk that is read when the JVM starts. A flaw was found in Eclipse OpenJ9 versions up to 0.51, when used with OpenJDK version 8. A stack based buffer overflow can be caused by modifying a file on disk that is read when the JVM starts. An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 8. • https://github.com/eclipse-openj9/openj9/pull/21762 • CWE-121: Stack-based Buffer Overflow •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1948 – Eclipse Jetty HTTP clients can increase memory allocation
https://notcve.org/view.php?id=CVE-2025-1948
08 May 2025 — In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to encode HTTP responses, likely resulting in OutOfMemoryError being thrown, or even the JVM process exiting. A flaw was found in Eclipse Jetty. This vulnerability allows denial of service attack via an HTTP/2 clien... • https://github.com/jetty/jetty.project/security/advisories/GHSA-889j-63jv-qhr8 • CWE-400: Uncontrolled Resource Consumption •