CVSS: 8.6EPSS: 0%CPEs: 2EXPL: 0CVE-2023-7272 – Eclipse Parsson stack overflow with deeply nested objects
https://notcve.org/view.php?id=CVE-2023-7272
17 Jul 2024 — In Eclipse Parsson before 1.0.4 and 1.1.3, a document with a large depth of nested objects can allow an attacker to cause a Java stack overflow exception and denial of service. Eclipse Parsson allows processing (e.g. parse, generate, transform and query) JSON documents. En Eclipse Parsson anterior a 1.0.4 y 1.1.3, un documento con una gran profundidad de objetos anidados puede permitir que un atacante provoque una excepción de desbordamiento de pila de Java y denegación de servicio. Eclipse Parsson permite ... • https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/12 • CWE-787: Out-of-bounds Write •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3933 – Eclipse Open J9 With -Xgc:concurrentScavenge on IBM Z, could write/read outside of a buffer
https://notcve.org/view.php?id=CVE-2024-3933
27 May 2024 — In Eclipse OpenJ9 release versions prior to 0.44.0 and after 0.13.0, when running with JVM option -Xgc:concurrentScavenge, the sequence generated for System.arrayCopy on the IBM Z platform with hardware and software support for guarded storage [1], could allow access to a buffer with an incorrect length value when executing an arraycopy sequence while the Concurrent Scavenge Garbage Collection cycle is active and the source and destination memory regions for arraycopy overlap. This allows read and write to ... • https://github.com/eclipse/omr/pull/7275 • CWE-125: Out-of-bounds Read CWE-787: Out-of-bounds Write CWE-805: Buffer Access with Incorrect Length Value •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-5165 – Eclipse Ditto User Interface vulnerable to XSS due to Improper Neutralization of Input
https://notcve.org/view.php?id=CVE-2024-5165
23 May 2024 — In Eclipse Ditto versions 3.0.0 to 3.5.5, the user input of several input fields of the Eclipse Ditto Explorer User Interface https://eclipse.dev/ditto/user-interface.html was not properly neutralized and thus vulnerable to both Reflected and Stored XSS (Cross Site Scripting). Several inputs were not persisted at the backend of Eclipse Ditto, but only in local browser storage to save settings of "environments" of the UI and e.g. the last performed "search queries", resulting in a "Reflected XSS" vulnerabili... • https://gitlab.eclipse.org/security/cve-assignement/-/issues/23 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4536 – Eclipse EDC: OAuth2 Credential Exfiltration Vulnerability
https://notcve.org/view.php?id=CVE-2024-4536
07 May 2024 — In Eclipse Dataspace Components from version 0.2.1 to 0.6.2, in the EDC Connector component ( https://github.com/eclipse-edc/Connector ), an attacker might obtain OAuth2 client secrets from the vault. In Eclipse Dataspace Components from version 0.2.1 to 0.6.2, we have identified a security vulnerability in the EDC Connector component ( https://github.com/eclipse-edc/Connector ) regarding the OAuth2-protected data sink feature. When using a custom, OAuth2-protected data sink, the OAuth2-specific data addres... • https://github.com/eclipse-edc/Connector/commit/a4e6018d2c0457fba6f672fafa6c590513c45d1b • CWE-201: Insertion of Sensitive Information Into Sent Data CWE-522: Insufficiently Protected Credentials •
CVSS: 9.8EPSS: 5%CPEs: 1EXPL: 0CVE-2024-0740 – Eclipse Target Management <= 4.5.500 Command Injection
https://notcve.org/view.php?id=CVE-2024-0740
26 Apr 2024 — Eclipse Target Management: Terminal and Remote System Explorer (RSE) version <= 4.5.400 has a remote code execution vulnerability that does not require authentication. The fixed version is included in Eclipse IDE 2024-03 Eclipse Target Management: Terminal and Remote System Explorer (RSE) versión <= 4.5.400 tiene una vulnerabilidad de ejecución remota de código que no requiere autenticación. La versión fija está incluida en Eclipse IDE 2024-03 • https://git.eclipse.org/r/c/tm/org.eclipse.tm/+/202145 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3046
https://notcve.org/view.php?id=CVE-2024-3046
09 Apr 2024 — In Eclipse Kura LogServlet component included in versions 5.0.0 to 5.4.1, a specifically crafted request to the servlet can allow an unauthenticated user to retrieve the device logs. Also, downloaded logs may be used by an attacker to perform privilege escalation by using the session id of an authenticated user reported in logs. This issue affects org.eclipse.kura:org.eclipse.kura.web2 version range [2.0.600, 2.4.0], which is included in Eclipse Kura version range [5.0.0, 5.4.1] En el componente Eclipse Kur... • https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/188 • CWE-303: Incorrect Implementation of Authentication Algorithm •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 2CVE-2024-2212 – Integer wraparounds, under-allocations, and heap buffer overflows in Eclipse ThreadX xQueueCreate() and xQueueCreateSet()
https://notcve.org/view.php?id=CVE-2024-2212
26 Mar 2024 — In Eclipse ThreadX before 6.4.0, xQueueCreate() and xQueueCreateSet() functions from the FreeRTOS compatibility API (utility/rtos_compatibility_layers/FreeRTOS/tx_freertos.c) were missing parameter checks. This could lead to integer wraparound, under-allocations and heap buffer overflows. En Eclipse ThreadX anterior a 6.4.0, a las funciones xQueueCreate() y xQueueCreateSet() de la API de compatibilidad de FreeRTOS (utility/rtos_compatibility_layers/FreeRTOS/tx_freertos.c) les faltaban comprobaciones de pará... • https://packetstorm.news/files/id/178817 • CWE-122: Heap-based Buffer Overflow CWE-190: Integer Overflow or Wraparound •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 2CVE-2024-2214 – Missing array size check in _Mtxinit() in the Xtensa port
https://notcve.org/view.php?id=CVE-2024-2214
26 Mar 2024 — In Eclipse ThreadX before version 6.4.0, the _Mtxinit() function in the Xtensa port was missing an array size check causing a memory overwrite. The affected file was ports/xtensa/xcc/src/tx_clib_lock.c En Eclipse ThreadX anterior a la versión 6.4.0, a la función _Mtxinit() en el puerto Xtensa le faltaba una verificación del tamaño de la matriz, lo que provocaba una sobrescritura de la memoria. El archivo afectado era ports/xtensa/xcc/src/tx_clib_lock.c Eclipse ThreadX versions prior to 6.4.0 suffers from a ... • https://packetstorm.news/files/id/178817 • CWE-129: Improper Validation of Array Index •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2024-2452 – Integer wraparound, under-allocation, and heap buffer overflow in Eclipse ThreadX NetX Duo __portable_aligned_alloc()
https://notcve.org/view.php?id=CVE-2024-2452
26 Mar 2024 — In Eclipse ThreadX NetX Duo before 6.4.0, if an attacker can control parameters of __portable_aligned_alloc() could cause an integer wrap-around and an allocation smaller than expected. This could cause subsequent heap buffer overflows. En Eclipse ThreadX NetX Duo anterior a 6.4.0, si un atacante puede controlar los parámetros de __portable_aligned_alloc() podría provocar una envoltura de enteros y una asignación menor de lo esperado. Esto podría provocar desbordamientos de búfer de almacenamiento dinámico.... • https://packetstorm.news/files/id/178817 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-190: Integer Overflow or Wraparound •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 3CVE-2023-6194
https://notcve.org/view.php?id=CVE-2023-6194
11 Dec 2023 — In Eclipse Memory Analyzer versions 0.7 to 1.14.0, report definition XML files are not filtered to prohibit document type definition (DTD) references to external entities. This means that if a user chooses to use a malicious report definition XML file containing an external entity reference to generate a report then Eclipse Memory Analyzer may access external files or URLs defined via a DTD in the report definition. En las versiones 0.7 a 1.14.0 de Eclipse Memory Analyzer, los archivos XML de definición de ... • https://bugs.eclipse.org/bugs/show_bug.cgi?id=582631 • CWE-611: Improper Restriction of XML External Entity Reference •