CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 1CVE-2019-18212
https://notcve.org/view.php?id=CVE-2019-18212
XMLLanguageService.java in XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows a remote attacker to write to arbitrary files via Directory Traversal. El archivo XMLLanguageService.java en XML Language Server (también se conoce como lsp4xml) versiones anteriores a 0.9.1, como es usado en Red Hat XML Language Support (también se conoce como vscode-xml) versiones anteriores a 0.9.1 para Visual Studio y otros productos, permite que un atacante remoto escriba en archivos arbitrarios por medio de salto de directorio. • https://github.com/angelozerr/lsp4xml https://github.com/angelozerr/lsp4xml/blob/master/CHANGELOG.md#others https://github.com/angelozerr/lsp4xml/pull/567 https://github.com/redhat-developer/vscode-xml https://marketplace.visualstudio.com/items?itemName=redhat.vscode-xml https://www.shielder.it/blog/dont-open-that-xml-xxe-to-rce-in-xml-plugins-for-vs-code-eclipse-theia • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.1EPSS: 0%CPEs: 10EXPL: 0CVE-2019-17631 – JDK: Unrestricted access to diagnostic operations
https://notcve.org/view.php?id=CVE-2019-17631
From Eclipse OpenJ9 0.15 to 0.16, access to diagnostic operations such as causing a GC or creating a diagnostic file are permitted without any privilege checks. Eclipse OpenJ9 desde las versiones 0.15 hasta 0.16, se accede a operaciones de diagnóstico tales como causar un GC o crear un archivo de diagnóstico sin ninguna comprobación de privilegios. • https://access.redhat.com/errata/RHSA-2019:4113 https://access.redhat.com/errata/RHSA-2019:4115 https://access.redhat.com/errata/RHSA-2020:0006 https://access.redhat.com/errata/RHSA-2020:0046 https://bugs.eclipse.org/bugs/show_bug.cgi?id=552129 https://access.redhat.com/security/cve/CVE-2019-17631 https://bugzilla.redhat.com/show_bug.cgi?id=1779880 • CWE-269: Improper Privilege Management CWE-285: Improper Authorization •
CVSS: 6.1EPSS: 0%CPEs: 40EXPL: 2CVE-2019-17091
https://notcve.org/view.php?id=CVE-2019-17091
faces/context/PartialViewContextImpl.java in Eclipse Mojarra, as used in Mojarra for Eclipse EE4J before 2.3.10 and Mojarra JavaServer Faces before 2.2.20, allows Reflected XSS because a client window field is mishandled. El archivo faces/context/PartialViewContextImpl.java en Eclipse Mojarra, como es usado en Mojarra para Eclipse EE4J versiones anteriores a 2.3.10 y Mojarra JavaServer Faces versiones anteriores a 2.2.20, permite un ataque de tipo XSS Reflejado porque un campo client window es manejado inapropiadamente. • https://bugs.eclipse.org/bugs/show_bug.cgi?id=548244 https://github.com/eclipse-ee4j/mojarra/commit/8f70f2bd024f00ecd5b3dcca45df73edda29dcee https://github.com/eclipse-ee4j/mojarra/commit/a3fa9573789ed5e867c43ea38374f4dbd5a8f81f https://github.com/eclipse-ee4j/mojarra/compare/2.3.9-RELEASE...2.3.10-RELEASE https://github.com/eclipse-ee4j/mojarra/files/3039198/advisory.txt https://github.com/eclipse-ee4j/mojarra/issues/4556 https://github.com/eclipse-ee4j/mojarra/pull/4567 https://github.com/javaserv • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 35%CPEs: 10EXPL: 0CVE-2019-11779
https://notcve.org/view.php?id=CVE-2019-11779
In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or more '/' characters, i.e. the topic hierarchy separator, then a stack overflow will occur. En Eclipse Mosquitto versiones 1.5.0 hasta 1.6.5 incluyéndola, si un cliente MQTT malicioso envía un paquete SUBSCRIBE que contiene un tema que consta de aproximadamente 65400 o más caracteres '/', es decir, el separador de jerarquía de temas, entonces ocurrirá un desbordamiento de la pila. • http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00077.html http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00008.html https://bugs.eclipse.org/bugs/show_bug.cgi?id=551160 https://lists.debian.org/debian-lts-announce/2019/10/msg00035.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D4WMHIM64Q35NGTR6R3ILZUL4MA4ANB5 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HFWQBNFTAVHPUYNGYO2TCPF5PCSWC2Z7 https:&# • CWE-674: Uncontrolled Recursion CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-11778
https://notcve.org/view.php?id=CVE-2019-11778
If an MQTT v5 client connects to Eclipse Mosquitto versions 1.6.0 to 1.6.4 inclusive, sets a last will and testament, sets a will delay interval, sets a session expiry interval, and the will delay interval is set longer than the session expiry interval, then a use after free error occurs, which has the potential to cause a crash in some situations. Si un cliente MQTT versión v5 se conecta a Eclipse Mosquitto versiones 1.6.0 hasta 1.6.4 incluyéndola, establece un último deseo y testamento, establece un intervalo de retardo de deseo, establece un intervalo de vencimiento de sesión y el intervalo de retardo de deseo se establece por encima del intervalo de vencimiento de sesión, luego se presenta un error de uso de memoria previamente liberada, que tiene el potencial para causar un bloqueo en algunas situaciones. • https://bugs.eclipse.org/bugs/show_bug.cgi?id=551162 • CWE-416: Use After Free •