Aggregates CVE and security vulnerability intelligence across all Eclipse Foundation-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues involve various input-handling and memory-safety problems that may affect software stability and security.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2024-9202 | In Eclipse Dataspace Components versions 0.1.3 to 0.9.0, the Connector component filters which datasets (= data offers) another party can see in a requested catalog, to ensure that only authorized parties are able to view restricted offers. However, there is the possibility to request a single dataset, which should be subject to the same filtering process, but currently is missing the correct filtering. This enables parties to potentially see datasets they should not have access to, thereby ex | [email protected] | 5.3 | 0.37% | 2024-09-27 | 2026-06-17 |
| CVE-2024-8646 | In Eclipse Glassfish versions prior to 7.0.10, a URL redirection vulnerability to untrusted sites existed. This vulnerability is caused by the vulnerability (CVE-2023-41080) in the Apache code included in GlassFish. This vulnerability only affects applications that are explicitly deployed to the root context ('/'). | [email protected] | 6.1 | 0.35% | 2024-09-11 | 2026-06-17 |
| CVE-2024-8642 | In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity (expiry, not-before, issuance date), which can allow an attacker to bypass the check for token expiration. The issue requires to have a dataplane configured to support http proxy consumer pull AND include the module "transfer-data-plane". The affected code was marked deprecated from the version 0.6.0 in favour of Dataplane Signaling. | [email protected] | 5.1 | 0.40% | 2024-09-11 | 2026-06-17 |
| CVE-2024-8391 | In Eclipse Vert.x version 4.3.0 to 4.5.9, the gRPC server does not limit the maximum length of message payload (Maven GAV: io.vertx:vertx-grpc-server and io.vertx:vertx-grpc-client). This is fixed in the 4.5.10 version. Note this does not affect the Vert.x gRPC server based grpc-java and Netty libraries (Maven GAV: io.vertx:vertx-grpc) | [email protected] | 6.9 | 0.58% | 2024-09-04 | 2026-06-17 |
| CVE-2023-7272 | In Eclipse Parsson before 1.0.4 and 1.1.3, a document with a large depth of nested objects can allow an attacker to cause a Java stack overflow exception and denial of service. Eclipse Parsson allows processing (e.g. parse, generate, transform and query) JSON documents. | [email protected] | 8.6 | 0.57% | 2024-07-17 | 2026-06-17 |
| CVE-2024-3933 | In Eclipse OpenJ9 release versions prior to 0.44.0 and after 0.13.0, when running with JVM option -Xgc:concurrentScavenge, the sequence generated for System.arrayCopy on the IBM Z platform with hardware and software support for guarded storage [1], could allow access to a buffer with an incorrect length value when executing an arraycopy sequence while the Concurrent Scavenge Garbage Collection cycle is active and the source and destination memory regions for arraycopy overlap. This allows read a | [email protected] | 5.3 | 0.21% | 2024-05-27 | 2026-06-17 |
| CVE-2024-5165 | In Eclipse Ditto versions 3.0.0 to 3.5.5, the user input of several input fields of the Eclipse Ditto Explorer User Interface https://eclipse.dev/ditto/user-interface.html was not properly neutralized and thus vulnerable to both Reflected and Stored XSS (Cross Site Scripting). Several inputs were not persisted at the backend of Eclipse Ditto, but only in local browser storage to save settings of "environments" of the UI and e.g. the last performed "search queries", resulting in a "Reflect | [email protected] | 6.5 | 0.50% | 2024-05-23 | 2026-06-17 |
| CVE-2024-4536 | In Eclipse Dataspace Components from version 0.2.1 to 0.6.2, in the EDC Connector component ( https://github.com/eclipse-edc/Connector ), an attacker might obtain OAuth2 client secrets from the vault. In Eclipse Dataspace Components from version 0.2.1 to 0.6.2, we have identified a security vulnerability in the EDC Connector component ( https://github.com/eclipse-edc/Connector ) regarding the OAuth2-protected data sink feature. When using a custom, OAuth2-protected data sink, the OAuth2-specifi | [email protected] | 6.8 | 0.41% | 2024-05-07 | 2026-06-17 |
| CVE-2024-0740 | Eclipse Target Management: Terminal and Remote System Explorer (RSE) version <= 4.5.400 has a remote code execution vulnerability that does not require authentication. The fixed version is included in Eclipse IDE 2024-03 | [email protected] | 9.8 | 1.24% | 2024-04-26 | 2026-06-17 |
| CVE-2024-3046 | In Eclipse Kura LogServlet component included in versions 5.0.0 to 5.4.1, a specifically crafted request to the servlet can allow an unauthenticated user to retrieve the device logs. Also, downloaded logs may be used by an attacker to perform privilege escalation by using the session id of an authenticated user reported in logs. This issue affects org.eclipse.kura:org.eclipse.kura.web2 version range [2.0.600, 2.4.0], which is included in Eclipse Kura version range [5.0.0, 5.4.1] | [email protected] | 7.5 | 0.58% | 2024-04-09 | 2026-06-17 |
| CVE-2024-2452 | In Eclipse ThreadX NetX Duo before 6.4.0, if an attacker can control parameters of __portable_aligned_alloc() could cause an integer wrap-around and an allocation smaller than expected. This could cause subsequent heap buffer overflows. | [email protected] | 7.0 | 0.90% | 2024-03-26 | 2026-06-17 |
| CVE-2024-2214 | In Eclipse ThreadX before version 6.4.0, the _Mtxinit() function in the Xtensa port was missing an array size check causing a memory overwrite. The affected file was ports/xtensa/xcc/src/tx_clib_lock.c | [email protected] | 7.0 | 0.34% | 2024-03-26 | 2026-06-17 |
| CVE-2024-2212 | In Eclipse ThreadX before 6.4.0, xQueueCreate() and xQueueCreateSet() functions from the FreeRTOS compatibility API (utility/rtos_compatibility_layers/FreeRTOS/tx_freertos.c) were missing parameter checks. This could lead to integer wraparound, under-allocations and heap buffer overflows. | [email protected] | 7.3 | 0.54% | 2024-03-26 | 2026-06-17 |
| CVE-2024-22201 | Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6. | [email protected] | 7.5 | 1.43% | 2024-02-26 | 2026-06-17 |
| CVE-2023-6194 | In Eclipse Memory Analyzer versions 0.7 to 1.14.0, report definition XML files are not filtered to prohibit document type definition (DTD) references to external entities. This means that if a user chooses to use a malicious report definition XML file containing an external entity reference to generate a report then Eclipse Memory Analyzer may access external files or URLs defined via a DTD in the report definition. | [email protected] | 2.8 | 0.31% | 2023-12-11 | 2026-06-17 |
| CVE-2023-48698 | Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack, that is fully integrated with Azure RTOS ThreadX. An attacker can cause remote code execution due to expired pointer dereference vulnerabilities in Azure RTOS USBX. The affected components include functions/processes in host stack and host classes, related to device linked classes, GSER and HID in RTOS v6.2.1 and below. The fixes have been included in USBX release 6.3.0. Users are advised to upgrade. There are no known wo | [email protected] | 6.8 | 0.93% | 2023-12-04 | 2026-06-17 |
| CVE-2023-48697 | Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack, that is fully integrated with Azure RTOS ThreadX. An attacker can cause remote code execution due to memory buffer and pointer vulnerabilities in Azure RTOS USBX. The affected components include functions/processes in pictbridge and host class, related to PIMA, storage, CDC ACM, ECM, audio, hub in RTOS v6.2.1 and below. The fixes have been included in USBX release 6.3.0. Users are advised to upgrade. There are no known wo | [email protected] | 6.4 | 1.19% | 2023-12-04 | 2026-06-17 |
| CVE-2023-48696 | Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack, that is fully integrated with Azure RTOS ThreadX. An attacker can cause remote code execution due to expired pointer dereference vulnerabilities in Azure RTOS USBX. The affected components include components in host class, related to CDC ACM in RTOS v6.2.1 and below. The fixes have been included in USBX release 6.3.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | [email protected] | 6.7 | 0.95% | 2023-12-04 | 2026-06-17 |
| CVE-2023-48695 | Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack, that is fully integrated with Azure RTOS ThreadX. An attacker can cause remote code execution due to out of bounds write vulnerabilities in Azure RTOS USBX. The affected components include functions/processes in host and device classes, related to CDC ECM and RNDIS in RTOS v6.2.1 and below. The fixes have been included in USBX release 6.3.0. Users are advised to upgrade. There are no known workarounds for this vulnerabili | [email protected] | 7.3 | 1.23% | 2023-12-04 | 2026-06-17 |
| CVE-2023-48694 | Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack, that is fully integrated with Azure RTOS ThreadX. An attacker can cause remote code execution due to expired pointer dereference and type confusion vulnerabilities in Azure RTOS USBX. The affected components include functions/processes in host stack and host class, related to device linked classes, ASIX, Prolific, SWAR, audio, CDC ECM in RTOS v6.2.1 and below. The fixes have been included in USBX release 6.3.0. Users are | [email protected] | 6.8 | 1.33% | 2023-12-04 | 2026-06-17 |