CVE-2021-41037

EPSS 0.51%
Veröffentlicht 08.07.2022 04:15:13
Zuletzt bearbeitet 21.11.2024 06:25:19
Quelle emo@eclipse.org
Teams Watchlist Login
Unerledigt Login

In Eclipse p2, installable units are able to alter the Eclipse Platform installation and the local machine via touchpoints during installation. Those touchpoints can, for example, alter the command-line used to start the application, injecting things like agent or other settings that usually require particular attention in term of security. Although p2 has built-in strategies to ensure artifacts are signed and then to help establish trust, there is no such strategy for the metadata part that does configure such touchpoints. As a result, it's possible to install a unit that will run malicious code during installation without user receiving any warning about this installation step being risky when coming from untrusted source.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Eclipse ≫ Equinox P2 Version >= 1.0.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.51%	0.653

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8	2.1	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P
emo@eclipse.org	10	3.9	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-829 Inclusion of Functionality from Untrusted Control Sphere

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

https://bugs.eclipse.org/bugs/show_bug.cgi?id=577029

Vendor Advisory

Mailing List

https://github.com/eclipse-equinox/p2/issues/235

https://nvd.nist.gov/vuln/detail/CVE-2021-41037

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-41037

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-41037

EUVD