CVE-2021-41033

2021-09-1320:55:09

CWE-300

eclipse

www.cve.org

8.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

47.8%

JSON

In all released versions of Eclipse Equinox, at least until version 4.21 (September 2021), installation can be vulnerable to man-in-the-middle attack if using p2 repos that are HTTP; that can then be exploited to serve incorrect p2 metadata and entirely alter the local installation, particularly by installing plug-ins that may then run malicious code.

CNA Affected

[
  {
    "product": "Eclipse Equinox",
    "vendor": "The Eclipse Foundation",
    "versions": [
      {
        "lessThanOrEqual": "4.21",
        "status": "unknown",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

bugs.eclipse.org/bugs/show_bug.cgi?id=575688