CVSS: 9.8EPSS: 6%CPEs: 1EXPL: 0CVE-2024-0740 – Eclipse Target Management <= 4.5.500 Command Injection
https://notcve.org/view.php?id=CVE-2024-0740
26 Apr 2024 — Eclipse Target Management: Terminal and Remote System Explorer (RSE) version <= 4.5.400 has a remote code execution vulnerability that does not require authentication. The fixed version is included in Eclipse IDE 2024-03 Eclipse Target Management: Terminal and Remote System Explorer (RSE) versión <= 4.5.400 tiene una vulnerabilidad de ejecución remota de código que no requiere autenticación. La versión fija está incluida en Eclipse IDE 2024-03 • https://git.eclipse.org/r/c/tm/org.eclipse.tm/+/202145 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3046
https://notcve.org/view.php?id=CVE-2024-3046
09 Apr 2024 — In Eclipse Kura LogServlet component included in versions 5.0.0 to 5.4.1, a specifically crafted request to the servlet can allow an unauthenticated user to retrieve the device logs. Also, downloaded logs may be used by an attacker to perform privilege escalation by using the session id of an authenticated user reported in logs. This issue affects org.eclipse.kura:org.eclipse.kura.web2 version range [2.0.600, 2.4.0], which is included in Eclipse Kura version range [5.0.0, 5.4.1] En el componente Eclipse Kur... • https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/188 • CWE-303: Incorrect Implementation of Authentication Algorithm •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 2CVE-2024-2212 – Integer wraparounds, under-allocations, and heap buffer overflows in Eclipse ThreadX xQueueCreate() and xQueueCreateSet()
https://notcve.org/view.php?id=CVE-2024-2212
26 Mar 2024 — In Eclipse ThreadX before 6.4.0, xQueueCreate() and xQueueCreateSet() functions from the FreeRTOS compatibility API (utility/rtos_compatibility_layers/FreeRTOS/tx_freertos.c) were missing parameter checks. This could lead to integer wraparound, under-allocations and heap buffer overflows. En Eclipse ThreadX anterior a 6.4.0, a las funciones xQueueCreate() y xQueueCreateSet() de la API de compatibilidad de FreeRTOS (utility/rtos_compatibility_layers/FreeRTOS/tx_freertos.c) les faltaban comprobaciones de pará... • https://packetstorm.news/files/id/178817 • CWE-122: Heap-based Buffer Overflow CWE-190: Integer Overflow or Wraparound •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 2CVE-2024-2214 – Missing array size check in _Mtxinit() in the Xtensa port
https://notcve.org/view.php?id=CVE-2024-2214
26 Mar 2024 — In Eclipse ThreadX before version 6.4.0, the _Mtxinit() function in the Xtensa port was missing an array size check causing a memory overwrite. The affected file was ports/xtensa/xcc/src/tx_clib_lock.c En Eclipse ThreadX anterior a la versión 6.4.0, a la función _Mtxinit() en el puerto Xtensa le faltaba una verificación del tamaño de la matriz, lo que provocaba una sobrescritura de la memoria. El archivo afectado era ports/xtensa/xcc/src/tx_clib_lock.c Eclipse ThreadX versions prior to 6.4.0 suffers from a ... • https://packetstorm.news/files/id/178817 • CWE-129: Improper Validation of Array Index •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2024-2452 – Integer wraparound, under-allocation, and heap buffer overflow in Eclipse ThreadX NetX Duo __portable_aligned_alloc()
https://notcve.org/view.php?id=CVE-2024-2452
26 Mar 2024 — In Eclipse ThreadX NetX Duo before 6.4.0, if an attacker can control parameters of __portable_aligned_alloc() could cause an integer wrap-around and an allocation smaller than expected. This could cause subsequent heap buffer overflows. En Eclipse ThreadX NetX Duo anterior a 6.4.0, si un atacante puede controlar los parámetros de __portable_aligned_alloc() podría provocar una envoltura de enteros y una asignación menor de lo esperado. Esto podría provocar desbordamientos de búfer de almacenamiento dinámico.... • https://packetstorm.news/files/id/178817 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-190: Integer Overflow or Wraparound •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 3CVE-2023-6194
https://notcve.org/view.php?id=CVE-2023-6194
11 Dec 2023 — In Eclipse Memory Analyzer versions 0.7 to 1.14.0, report definition XML files are not filtered to prohibit document type definition (DTD) references to external entities. This means that if a user chooses to use a malicious report definition XML file containing an external entity reference to generate a report then Eclipse Memory Analyzer may access external files or URLs defined via a DTD in the report definition. En las versiones 0.7 a 1.14.0 de Eclipse Memory Analyzer, los archivos XML de definición de ... • https://bugs.eclipse.org/bugs/show_bug.cgi?id=582631 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5676 – Eclipse OpenJ9 possible infinite busy hang
https://notcve.org/view.php?id=CVE-2023-5676
15 Nov 2023 — In Eclipse OpenJ9 before version 0.41.0, the JVM can be forced into an infinite busy hang on a spinlock or a segmentation fault if a shutdown signal (SIGTERM, SIGINT or SIGHUP) is received before the JVM has finished initializing. En Eclipse OpenJ9 anterior a la versión 0.41.0, la JVM puede verse forzada a un bloqueo de ocupación infinita en un bloqueo de giro o una falla de segmentación si se recibe una señal de apagado (SIGTERM, SIGINT o SIGHUP) antes de que la JVM haya terminado de inicializarse. Eclipse... • https://github.com/eclipse-openj9/openj9/pull/18085 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-364: Signal Handler Race Condition •
CVSS: 5.0EPSS: 0%CPEs: 3EXPL: 1CVE-2023-4218 – XXE in eclipse.platform / Eclipse IDE
https://notcve.org/view.php?id=CVE-2023-4218
09 Nov 2023 — In Eclipse IDE versions < 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch). En las versiones de Eclipse IDE <2023-09 (4.29), algunos archivos con contenido xml se analizan como vulnerables a todo tipo de ataques XXE. El usuario sólo necesita abrir cualquier proyecto maligno o actualizar un proyecto abierto co... • https://github.com/eclipse-cdt/cdt/commit/c7169b3186d2fef20f97467c3e2ad78e2943ed1b • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1CVE-2023-4043 – Parsson DoS when parsing numbers from untrusted sources
https://notcve.org/view.php?id=CVE-2023-4043
03 Nov 2023 — In Eclipse Parsson before versions 1.1.4 and 1.0.5, Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to much larger processing time than one would expect. To mitigate the risk, parsson put in place a size limit for the numbers as well as their scale. En Eclipse Parsson antes de las versiones 1.1.4 y 1.0.5, el Parsing JSON de fuentes no c... • https://github.com/eclipse-ee4j/parsson/pull/100 • CWE-20: Improper Input Validation CWE-834: Excessive Iteration •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5763 – Glassfish remote code execution
https://notcve.org/view.php?id=CVE-2023-5763
03 Nov 2023 — In Eclipse Glassfish 5 or 6, running with old versions of JDK (lower than 6u211, or < 7u201, or < 8u191), allows remote attackers to load malicious code on the server via access to insecure ORB listeners. En Eclipse Glassfish 5 o 6, ejecutado con versiones antiguas de JDK (inferiores a 6u211, o < 7u201, o < 8u191), permite a atacantes remotos cargar código malicioso en el servidor mediante el acceso a oyentes ORB inseguros. • https://gitlab.eclipse.org/security/cve-assignement/-/issues/14 • CWE-20: Improper Input Validation CWE-913: Improper Control of Dynamically-Managed Code Resources •