CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-8184 – Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks
https://notcve.org/view.php?id=CVE-2024-8184
14 Oct 2024 — There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory. A flaw was found in Jetty's ThreadLimitHandler.getRemote(). This flaw allows unauthorized users to cause remote denial of service (DoS) attacks. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors... • https://github.com/jetty/jetty.project/pull/11723 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 3.1EPSS: 0%CPEs: 3EXPL: 0CVE-2024-6762 – Jetty PushSessionCacheFilter can cause remote DoS attacks
https://notcve.org/view.php?id=CVE-2024-6762
14 Oct 2024 — Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote DoS attacks by exhausting the server’s memory. • https://github.com/jetty/jetty.project/pull/10755 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6763 – Jetty URI parsing of invalid authority
https://notcve.org/view.php?id=CVE-2024-6763
14 Oct 2024 — Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing. The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI differs from the common browsers in how it handles a URI that would be considered invalid if fully validated against the RRC. Specifically HttpURI and the browser may differ on the value of the host extracted from an invalid URI and thus a combin... • https://github.com/jetty/jetty.project/pull/12012 • CWE-1286: Improper Validation of Syntactic Correctness of Input •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2024-9823 – Jetty DOS vulnerability on DosFilter
https://notcve.org/view.php?id=CVE-2024-9823
14 Oct 2024 — There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally. A flaw was found in Jetty. The DosFilter can be exploited remotely by unauthorized users to trigger an out-of-memory condition by repeatedly sending specially crafted requests. This issue may cause a crash, l... • https://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8376 – Memory leak
https://notcve.org/view.php?id=CVE-2024-8376
11 Oct 2024 — In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaking, segmentation fault or heap-use-after-free by sending specific sequences of "CONNECT", "DISCONNECT", "SUBSCRIBE", "UNSUBSCRIBE" and "PUBLISH" packets. A flaw was found in Eclipse Mosquitto. A remote attacker may be able to trigger memory leakage, segmentation fault, or a heap-use-after-free condition by sending specific sequences of "CONNECT", "DISCONNECT", "SUBSCRIBE", "UNSUBSCRIBE", and "PUBLISH" packets. Red Hat Product Se... • https://github.com/eclipse/mosquitto/releases/tag/v2.0.19 • CWE-401: Missing Release of Memory after Effective Lifetime CWE-416: Use After Free CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9329 – Glassfish redirect to untrusted site
https://notcve.org/view.php?id=CVE-2024-9329
30 Sep 2024 — In Eclipse Glassfish versions before 7.0.17, The Host HTTP parameter could cause the web application to redirect to the specified URL, when the requested endpoint is '/management/domain'. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. • https://github.com/eclipse-ee4j/glassfish/pull/25106 • CWE-233: Improper Handling of Parameters •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9202 – EDC DataSetResolver policy filtering missing
https://notcve.org/view.php?id=CVE-2024-9202
27 Sep 2024 — In Eclipse Dataspace Components versions 0.1.3 to 0.9.0, the Connector component filters which datasets (= data offers) another party can see in a requested catalog, to ensure that only authorized parties are able to view restricted offers. However, there is the possibility to request a single dataset, which should be subject to the same filtering process, but currently is missing the correct filtering. This enables parties to potentially see datasets they should not have access to, thereby exposing sensiti... • https://github.com/eclipse-edc/Connector/pull/4490 • CWE-862: Missing Authorization •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8642 – Eclipse EDC: Consumer pull transfer token validation checks not applied
https://notcve.org/view.php?id=CVE-2024-8642
11 Sep 2024 — In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity (expiry, not-before, issuance date), which can allow an attacker to bypass the check for token expiration. The issue requires to have a dataplane configured to support http proxy consumer pull AND include the module "transfer-data-plane". The affected code was marked deprecated from the version 0.6.0 in favour of Dataplane Signaling. In 0.9.0 th... • https://github.com/eclipse-edc/Connector/commit/04899e91dcdb4a407db4eb7af3e7b6ff9a9e9ad6 • CWE-303: Incorrect Implementation of Authentication Algorithm CWE-305: Authentication Bypass by Primary Weakness •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8646 – Eclipse Glassfish: URL redirection vulnerability to untrusted sites
https://notcve.org/view.php?id=CVE-2024-8646
11 Sep 2024 — In Eclipse Glassfish versions prior to 7.0.10, a URL redirection vulnerability to untrusted sites existed. This vulnerability is caused by the vulnerability (CVE-2023-41080) in the Apache code included in GlassFish. This vulnerability only affects applications that are explicitly deployed to the root context ('/'). In Eclipse Glassfish versions prior to 7.0.10, a URL redirection vulnerability to untrusted sites existed. This vulnerability is caused by the vulnerability (CVE-2023-41080) in the Apache code in... • https://github.com/eclipse-ee4j/glassfish/pull/24655 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8391 – Eclipse Vert.x gRPC server does not limit the maximum message size
https://notcve.org/view.php?id=CVE-2024-8391
04 Sep 2024 — In Eclipse Vert.x version 4.3.0 to 4.5.9, the gRPC server does not limit the maximum length of message payload (Maven GAV: io.vertx:vertx-grpc-server and io.vertx:vertx-grpc-client). This is fixed in the 4.5.10 version. Note this does not affect the Vert.x gRPC server based grpc-java and Netty libraries (Maven GAV: io.vertx:vertx-grpc) A flaw was found in the gRPC server in Eclipse Vert.x, which does not limit the maximum length of the message payload. This may lead to excessive memory consumption in a serv... • https://github.com/eclipse-vertx/vertx-grpc/issues/113 • CWE-770: Allocation of Resources Without Limits or Throttling •