Skip to main content
  • 317055 Platform: [Webapp][Security] URLEncode url requests from local users
  • 319344 Platform: [Webapp][Security] Phishing on help application
  • 320547 Platform: [Webapp][Security] Misuse of /topic/file
  • 320548 Platform: [Webapp][Security] Ability to read files not in bundles
  • 320967 Platform: [Test][Security] Tests for security related bugs
  • 325902 Equinox: [launcher] Windows LoadLibrary search cwd DLL exploit
  • 328795 Equinox: [Webapp] Possible security issue with JSP code exposure.
  • 328975 Equinox: [Webapp] Possible security issue with JSP code exposure.
  • 329193 Equinox: [Webapp] Possible security issue with JSP code exposure.
  • 329582 Platform: [Webapp][Security] Eclipse Help Server XSS
  • 330026 Platform: [Webapp][Security] Fix for Eclipse 3.6.2 Eclipse Help Server XSS
  • 333959 Virgo: cross-site scripting vulnerability
  • 336767 z_Archived: Security Issue in BIRT Viewer
  • 361316 Jetty: DoS attack from similar hash values
  • 367533 Community: Reset Password allows to hijack accounts for SSH access (and other options)
  • 367638 Jetty: Denial of Service attack ocert-2011-003 / CVE-2011-4461
  • 378977 Equinox: [Webapp] Possible security issue with JSP code exposure. - backport to 3.5.2+
  • 378979 Equinox: [Webapp] Possible security issue with JSP code exposure. backport for 3.4.2+
  • 390491 Equinox: [Webapp] Possible security issue with JSP code exposure.
  • 395246 Gemini.Web: Access to forbidden directories can be granted
  • 421097 Community: Open redirect
  • 421700 Community: Reflected XSS - https://dev.eclipse.org/portal/myfoundation/tests/explore.php
  • 421726 Community: [Security] SQL injection in http://www.eclipse.org/membership/scripts/get_image.php
  • 421759 Community: [security] SQL injection in [http://eclipse.org/membership/showMember.php] By Shahmeer Amir and Rafay Baloch
  • 421875 Community: Vulnerabilities on http://www.eclipse.org/‏
  • 424827 Community: Potential XSS vulnerability on /downloads page.
  • 427830 Community: XSS vulnerability on www.eclipse.org
  • 428032 Community: Multiple XSS on site_login
  • 429494 Community: https://bugs.eclipse.org/bugs/ is vulnerable to CVE-2009-3555
  • 435095 Data Tools: HIPP jobs are SSHing to build.eclipse.org and storing passwords in config files
  • 438006 ECF: [XMPP] Update to Smack 4
  • 438901 Platform: Style PASSWORD | READ_ONLY without BORDER displays plain text password
  • 443883 Community: [site_login] Password change should invalidate all active sessions
  • 458571 WTP Source Editing: XXE in DTD Parser/Validator (CVE-2019-17637)
  • 463809 EMFStore: [Security] addInitialParticipant remote method allows privilege escalation
  • 474575 Community: The website may allow automated account creation.
  • 509799 EPP: Symantec reports a Trojan SONAR.AM.C!g24 in eclipse
  • 510249 Kura: Eclipse Kura uses a vulnerable version of Apache Commons Fileupload
  • 513268 Community: Open Redirection vulnerability in wiki.eclipse.org
  • 516765 Community: CVE-2017-7650: Eclipse Mosquitto ACL security issue (CVE-2017-7650)
  • 526392 Platform: JSP source is shown if extension is not matching exactly (case-sensitive)
  • 529754 Community: Mosquitto Server Shutdown Attack (CVE-2017-7651)
  • 530102 Community: Reloading Mosquitto configuration may fail if no file descriptors are available (CVE-2017-7652)
  • 530629 Community: Security vulnerability found in OpenJ9 project (CVE-2018-1417)
  • 532113 Community: CVE-2017-7653: Eclipse Mosquitto does not validate topic strings (CVE-2017-7653)
  • 533258 Community: Californium/Leshan DTLS PSK identity oracle
  • 533493 Community: CVE-2017-7654: Mosquitto Broker DoS through a Memory Leak vulnerability (CVE-2017-7654)
  • 533775 Community: CVE-2017-7655: Potential NULL Dereference vulnerability in Mosquitto Library (CVE-2017-7655)
  • 534108 Community: The site marketplace.eclipse.org only supports TLS 1.0 security
  • 534589 Community: OpenJ9 Vulnerabilities (CVE-2018-12539)
  • 535667 Community: Jetty: CVE Request: HTTP/0.9 Request Smuggling (CVE-2017-7656)
  • 536018 Community: Jetty: CVE Request: FileBasedSessionStore Session Stealing (CVE-2018-12538)
  • 536038 Community: CVE-2018-12537: vert.x: Improper neutralization of CRLF sequences allows remote attackers to inject arbitrary HTTP response headers (CVE-2018-12537)
  • 538142 z_Archived: Security bug - RCE in BIRT viewer example (CVE-2021-34427)
  • 539170 Community: WebSocket HTTP upgrade implementation buffers the full http request before doing the handshake (CVE-2018-12541)
  • 539171 Community: The StaticHandler does not properly neutralize forward slashes (CVE-2018-12542)
  • 539295 Community: Remote crash in Mosquitto 1.5 to 1.5.2 (CVE-2018-12543)
  • 539568 Community: The OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks (CVE-2018-12544)
  • 540550 Community: Password change should invalidate all user sessions
  • 540989 Community: Che build incorporates binaries downloaded over http -- potential MITM risk. (CVE-2021-41034)
  • 541870 Community: mosquitto: An empty ACL file grant all permissions to clients (CVE-2018-12550)
  • 543127 Community: Access Control Violation via Retained Message in Eclipse Mosquitto (CVE-2018-12546)
  • 543401 Community: Blank username allows Mosquitto Security Bypass (CVE-2018-12551)
  • 543626 Paho: Possible Vulnerabilities in Eclipse paho.mqtt.c
  • 543792 Community: OpenJ9 OpenSSL natives are public (CVE-2018-12548)
  • 544019 Community: OpenJ9 may fail to null check the receiver of an unsafe call (CVE-2018-12549)
  • 544819 Community: DTLS server - buffer overflow leading to crash (dtls_create_cookie)
  • 544824 Community: DTLS server - buffer overflow leading to crash (dtls_update_parameters)
  • 545588 openj9: Crash on unverifiable bytecode (CVE-2019-10245)
  • 546053 Community: Eclipse hawkBit: New CVE Request (CVE-2019-10240)
  • 546121 Community: Jetty CVE Request: DefaultServlet / ResourceHandler XSS (CVE-2019-10241)
  • 546576 Community: Jetty CVE Request: Information Reveal - Windows Directory Listings (CVE-2019-10246)
  • 546577 Community: Jetty CVE Request: Information Reveal - DefaultHandler (CVE-2019-10247)
  • 546622 Community: Eclipse Vorto: New CVE Request (CVE-2019-10248)
  • 546816 z_Archived: Reflected XSS vulnerability in the __format URL parameter (CVE-2019-11776)
  • 546996 Community: Eclipse Xtext/Xtend: New CVE Request (CVE-2019-10249)
  • 547734 Community: Eclipse Buildship: New CVE Request (CVE-2019-11770)
  • 549191 OMR: RPATHs on AIX (CVE-2019-11773)
  • 549192 OMR: Loop Versioner (CVE-2019-11774)
  • 549601 openj9: Loop Versioner (CVE-2019-11775)
  • 549934 Paho: Request for CVE in known hostname validation vulnerability in the MQTT library (CVE-2019-11777)
  • 550943 Community: Mojarra multiple directory traversal issues
  • 551423 Community: repo.locationtech.org Only Supports TLS 1.1 Which is Unsecure
  • 551596 Che: Remote Code Execution Vulnerability in Web Interface (CVE-2019-17633)
  • 551680 Platform: [Webapp][Security] XSS in query param of webapp war file
  • 551747 Community: Arbitrary File Read Abusing The `mini-browser` Extension (CVE-2019-17636)
  • 552129 openj9: Dump creation (CVE-2019-17631)
  • 552542 Community: XSS in Memory Analyzer plugin for Eclipse (CVE-2019-17634)
  • 553067 RAP: Accidental XSS possible with HTML MARKUP_ENABLED in RAP
  • 558633 MAT: Deserialization issues (CVE-2019-17635)
  • 561109 Community: Javascript injection via notification messages in Theia IDE (CVE-2021-28162)
  • 563882 Community: Unauthorized retained message
  • 563998 openj9: Undefined return value (CVE-2019-17639)
  • 564984 Community: CVE Request: Jetty Corrupt Response Buffer (CVE-2019-17638)
  • 565671 Community: Mosquitto Windows Service Unquoted Path vulnerability
  • 567068 Community: Hono's AMQP adapter does not check/limit incoming message size (CVE-2020-27217)
  • 567213 Community: Vulnerability in Mosquitto configuration file parsing
  • 567416 Community: Eclipse Vert.x StaticHandler doesn't correctly process back slashes (CVE-2019-17640)
  • 567921 Community: Jetty vulnerable to temporary directory hijacking (CVE-2020-27216)
  • 568018 Community: Theia "mini-browser" extension RCE exploit (CVE-2021-34435)
  • 569763 openj9: Stack buffer overflow (CVE-2020-27221)
  • 569855 Platform: Vulnerability in Eclipse livehelp. (CVE-2020-27225)
  • 570090 Community: OBB-1677065 - XSS vuln for eclipse.org
  • 570105 Wakaama: A null pointer reference exists in the wakaama project.
  • 570289 Community: Eclipse hawkBit CVE request: Improper escaping of JSON response field (CVE-2020-27219)
  • 570582 z_Archived: Update bundled guava and any guava dependencies to 30.0+
  • 571233 Community: Security Leak Information: Maven Password‏
  • 571411 Community: security - LFI on eclipse.org/mylyn
  • 571428 Community: [Security] Unauthorized users could access agent logs
  • 571477 Platform: API key in build job definition shell script
  • 571856 openj9: Use of ConstantPool may not initialize class
  • 572218 Community: Jetty 100% CPU upon receiving a large invalid TLS Frame (CVE-2021-28165)
  • 572219 Community: Jetty Ambiguous Paths can access WEB-INF (CVE-2021-28164)
  • 572220 Community: Jetty Symlink Directory Exposes Webapp Directory Contents (CVE-2021-28163)
  • 572608 Community: Mosquitto: CVE request - NULL pointer dereference on crafted CONNACK (CVE-2021-28166)
  • 572718 MAT: 4th party library issue
  • 573389 Community: Jetty Utility Servlets Double Decoding Information Disclosure Vulnerability (CVE-2021-28169)
  • 573743 Community: The Eclipse Security Mailing list is publicly accessible!
  • 573993 Viatra: Username Compromised using jenkins
  • 574141 Community: Remote crash in Mosquitto 2.0.7 when publish topic length is 0 (CVE-2021-34432)
  • 574146 Community: Jetty SessionListener can prevent a session from being invalidated breaking logout. (CVE-2021-34428)
  • 574386 Mylyn Docs: Vulnerabilities discovered in third-party content
  • 575281 Californium: 2.0 - 2.6 : DTLS vulnerability not verifying the server certificate, when ServerKeyExchange is not signed (CVE-2021-34433)
  • 575924 Community: XSS in @theia/plugin-ext webview (CVE-2021-41038)
  • 576395 openj9: OpenJ9 must throw IllegalAccessError for MethodHandles that invoke inaccessible interface methods

Back to the top