CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-0728 – Eclipse ThreadX NetX Duo HTTP server single PUT request integer underflow
https://notcve.org/view.php?id=CVE-2025-0728
21 Feb 2025 — In NetX HTTP server functionality of Eclipse ThreadX NetX Duo before version 6.4.2, an attacker can cause an integer underflow and a subsequent denial of service by writing a very large file, by specially crafted packets with Content-Length smaller than the data request size. A possible workaround is to disable HTTP PUT support. • https://github.com/eclipse-threadx/netxduo/commit/c78d650be7377aae1a8704bc0ce5cc6f9f189014 • CWE-191: Integer Underflow (Wrap or Wraparound) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-0726 – Eclipse ThreadX NetX Duo HTTP server denial of service
https://notcve.org/view.php?id=CVE-2025-0726
21 Feb 2025 — In NetX HTTP server functionality of Eclipse ThreadX NetX Duo before version 6.4.2, an attacker can cause a denial of service by specially crafted packets. The core issue is missing closing of a file in case of an error condition, resulting in the 404 error for each further file request. Users can work-around the issue by disabling the PUT request support. • https://github.com/eclipse-threadx/netxduo/commit/c78d650be7377aae1a8704bc0ce5cc6f9f189014 • CWE-459: Incomplete Cleanup •
CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1007 – Improper Authorization in /user/namespace/{namespace}/details
https://notcve.org/view.php?id=CVE-2025-1007
19 Feb 2025 — In OpenVSX version v0.9.0 to v0.20.0, the /user/namespace/{namespace}/details API allows a user to edit all namespace details, even if the user is not a namespace Owner or Contributor. The details include: name, description, website, support link and social media links. The same issues existed in /user/namespace/{namespace}/details/logo and allowed a user to change the logo. • https://github.com/eclipse/openvsx/security/advisories/GHSA-wc7c-xq2f-qp4h • CWE-283: Unverified Ownership CWE-285: Improper Authorization •
CVSS: 3.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10917 – Eclipse OpenJ9 might return an incorrect value in JNI function GetStringUTFLength
https://notcve.org/view.php?id=CVE-2024-10917
11 Nov 2024 — In Eclipse OpenJ9 versions up to 0.47, the JNI function GetStringUTFLength may return an incorrect value which has wrapped around. From 0.48 the value is correct but may be truncated to include a smaller number of characters. This update for java-1_8_0-ibm fixes the following issues. Unauthenticated attacker can obtain unauthorized read and write access to data through the Hotspot component API. • https://github.com/eclipse-openj9/openj9/pull/20362 • CWE-190: Integer Overflow or Wraparound •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3935 – Eclipse Mosquito: Double free vulnerability
https://notcve.org/view.php?id=CVE-2024-3935
30 Oct 2024 — In Eclipse Mosquito, versions from 2.0.0 through 2.0.18, if a Mosquitto broker is configured to create an outgoing bridge connection, and that bridge connection has an incoming topic configured that makes use of topic remapping, then if the remote connection sends a crafted PUBLISH packet to the broker a double free will occur with a subsequent crash of the broker. En Eclipse Mosquito, versiones desde 2.0.0 hasta 2.0.18, si un agente Mosquitto está configurado para crear una conexión de puente saliente y es... • https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/197 • CWE-415: Double Free •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10525 – Eclipse Mosquito: Heap Buffer Overflow in my_subscribe_callback
https://notcve.org/view.php?id=CVE-2024-10525
30 Oct 2024 — In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker sends a crafted SUBACK packet with no reason codes, a client using libmosquitto may make out of bounds memory access when acting in its on_subscribe callback. This affects the mosquitto_sub and mosquitto_rr clients. En Eclipse Mosquitto, desde la versión 1.3.2 hasta la 2.0.18, si un agente malintencionado envía un paquete SUBACK manipulado sin códigos de motivo, un cliente que utilice libmosquitto puede realizar un acceso a la me... • https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/190 • CWE-122: Heap-based Buffer Overflow •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-8184 – Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks
https://notcve.org/view.php?id=CVE-2024-8184
14 Oct 2024 — There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory. A flaw was found in Jetty's ThreadLimitHandler.getRemote(). This flaw allows unauthorized users to cause remote denial of service (DoS) attacks. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors... • https://github.com/jetty/jetty.project/pull/11723 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 3.1EPSS: 0%CPEs: 3EXPL: 0CVE-2024-6762 – Jetty PushSessionCacheFilter can cause remote DoS attacks
https://notcve.org/view.php?id=CVE-2024-6762
14 Oct 2024 — Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote DoS attacks by exhausting the server’s memory. Jetty 9 is a Java based web server and servlet engine. Several security vulnerabilities have been discovered which may allow remote attackers to cause a denial of service by repeatedly sending crafted requests which can trigger OutofMemory errors and exhaust the server's memory. • https://github.com/jetty/jetty.project/pull/10755 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6763 – Jetty URI parsing of invalid authority
https://notcve.org/view.php?id=CVE-2024-6763
14 Oct 2024 — Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing. The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI differs from the common browsers in how it handles a URI that would be considered invalid if fully validated against the RRC. Specifically HttpURI and the browser may differ on the value of the host extracted from an invalid URI and thus a combin... • https://github.com/jetty/jetty.project/pull/12012 • CWE-1286: Improper Validation of Syntactic Correctness of Input •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2024-9823 – Jetty DOS vulnerability on DosFilter
https://notcve.org/view.php?id=CVE-2024-9823
14 Oct 2024 — There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally. A flaw was found in Jetty. The DosFilter can be exploited remotely by unauthorized users to trigger an out-of-memory condition by repeatedly sending specially crafted requests. This issue may cause a crash, l... • https://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h • CWE-400: Uncontrolled Resource Consumption •