CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-41038
https://notcve.org/view.php?id=CVE-2021-41038
In versions of the @theia/plugin-ext component of Eclipse Theia prior to 1.18.0, Webview contents can be hijacked via postMessage(). En versiones del componente @theia/plugin-ext de Eclipse Theia anteriores a 1.18.0, el contenido de la Webview puede ser secuestrado por medio de la función postMessage() • https://bugs.eclipse.org/bugs/show_bug.cgi?id=575924 https://github.com/eclipse-theia/theia/pull/10125 • CWE-940: Improper Verification of Source of a Communication Channel •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41036
https://notcve.org/view.php?id=CVE-2021-41036
In versions prior to 1.1 of the Eclipse Paho MQTT C Client, the client does not check rem_len size in readpacket. En versiones anteriores a 1.1 de Eclipse Paho MQTT C Client, el cliente no comprueba el tamaño rem_len en readpacket • https://github.com/eclipse/paho.mqtt.embedded-c/issues/96 • CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41035 – JDK: IllegalAccessError exception not thrown for MethodHandles that invoke inaccessible interface methods
https://notcve.org/view.php?id=CVE-2021-41035
In Eclipse Openj9 before version 0.29.0, the JVM does not throw IllegalAccessError for MethodHandles that invoke inaccessible interface methods. En Eclipse Openj9 versiones anteriores 0.29.0, la JVM no lanza IllegalAccessError para MethodHandles que invocan métodos de interfaz inaccesibles • https://bugs.eclipse.org/bugs/show_bug.cgi?id=576395 https://github.com/eclipse-openj9/openj9/pull/13740 https://gitlab.eclipse.org/eclipsefdn/emo-team/emo/-/issues/104 https://security.netapp.com/advisory/ntap-20240621-0006 https://access.redhat.com/security/cve/CVE-2021-41035 https://bugzilla.redhat.com/show_bug.cgi?id=2027791 • CWE-250: Execution with Unnecessary Privileges CWE-440: Expected Behavior Violation CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41034
https://notcve.org/view.php?id=CVE-2021-41034
The build of some language stacks of Eclipse Che version 6 includes pulling some binaries from an unsecured HTTP endpoint. As a consequence the builds of such stacks are vulnerable to MITM attacks that allow the replacement of the original binaries with arbitrary ones. The stacks involved are Java 8 (alpine and centos), Android and PHP. The vulnerability is not exploitable at runtime but only when building Che. La compilación de algunas pilas de lenguaje de Eclipse Che versión 6, incluye una extracción de algunos binarios desde un endpoint HTTP no seguro. • https://bugs.eclipse.org/bugs/show_bug.cgi?id=540989 • CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2021-41033
https://notcve.org/view.php?id=CVE-2021-41033
In all released versions of Eclipse Equinox, at least until version 4.21 (September 2021), installation can be vulnerable to man-in-the-middle attack if using p2 repos that are HTTP; that can then be exploited to serve incorrect p2 metadata and entirely alter the local installation, particularly by installing plug-ins that may then run malicious code. En todas las versiones liberadas de Eclipse Equinox, al menos hasta la versión 4.21 (septiembre de 2021), la instalación puede ser vulnerable a un ataque de tipo man-in-the-middle si se usan repos p2 que son HTTP; esto puede entonces ser explotado para servir metadatos p2 incorrectos y alterar por completo la instalación local, particularmente mediante la instalación de plug-ins que luego pueden ejecutar código malicioso • https://bugs.eclipse.org/bugs/show_bug.cgi?id=575688 • CWE-300: Channel Accessible by Non-Endpoint •