Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
In Eclipse p2, installable units are able to alter the Eclipse Platform installation and the local machine via touchpoints during installation. Those touchpoints can, for example, alter the command-line used to start the application, injecting things like agent or other settings that usually require particular attention in term of security. Although p2 has built-in strategies to ensure artifacts are signed and then to help establish trust, there is no such strategy for the metadata part that does configure such touchpoints. As a result, it's possible to install a unit that will run malicious code during installation without user receiving any warning about this installation step being risky when coming from untrusted source.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Vulnerability Type
从非可信控制范围包含功能例程
Vulnerability Title
Eclipse Equinox 安全漏洞
Vulnerability Description
Eclipse Equinox是Eclipse基金会的一个子项目,提供OSGi R4.x 核心框架规范的认证实现。 Eclipse Equinox 存在安全漏洞,该漏洞源于 p2 模块中可安装单元能够在安装过程中通过接触点改变Eclipse平台的安装和本地机器。例如,这些接触点可以改变用于启动应用程序的命令行,注入代理或其他通常需要特别注意的安全性设置。尽管p2有确保对工件进行签名然后帮助建立信任的内置策略,但是对于配置此类接触点的元数据部分没有这样的策略。因此,在安装过程中有可能安装一个会运行恶意代码的
CVSS Information
N/A
Vulnerability Type
N/A