CVE-2021-41037

Published: Jul 8, 2022

Modified: Aug 4, 2024

PUBLISHED

CVSS v3.1

10.0

CRITICAL

Description

In Eclipse p2, installable units are able to alter the Eclipse Platform installation and the local machine via touchpoints during installation. Those touchpoints can, for example, alter the command-line used to start the application, injecting things like agent or other settings that usually require particular attention in term of security. Although p2 has built-in strategies to ensure artifacts are signed and then to help establish trust, there is no such strategy for the metadata part that does configure such touchpoints. As a result, it's possible to install a unit that will run malicious code during installation without user receiving any warning about this installation step being risky when coming from untrusted source.

Vendor	Product	Versions
The Eclipse Foundation	Eclipse Equinox p2	affected `1.0.0 - < 4.28`

Weaknesses (CWE)

CWE-829

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

References

https://bugs.eclipse.org/bugs/show_bug.cgi?id=577029

x_refsource_CONFIRM

https://github.com/eclipse-equinox/p2/issues/235

patch

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2021-41037

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References