Vulnerability Description
In Eclipse p2, installable units are able to alter the Eclipse Platform installation and the local machine via touchpoints during installation. Those touchpoints can, for example, alter the command-line used to start the application, injecting things like agent or other settings that usually require particular attention in term of security. Although p2 has built-in strategies to ensure artifacts are signed and then to help establish trust, there is no such strategy for the metadata part that does configure such touchpoints. As a result, it's possible to install a unit that will run malicious code during installation without user receiving any warning about this installation step being risky when coming from untrusted source.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Eclipse | Equinox P2 | >= 1.0.0 |
Related Weaknesses (CWE)
References
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=577029Mailing ListVendor Advisory
- https://github.com/eclipse-equinox/p2/issues/235
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=577029Mailing ListVendor Advisory
- https://github.com/eclipse-equinox/p2/issues/235
FAQ
What is CVE-2021-41037?
CVE-2021-41037 is a vulnerability with a CVSS score of 10.0 (CRITICAL). In Eclipse p2, installable units are able to alter the Eclipse Platform installation and the local machine via touchpoints during installation. Those touchpoints can, for example, alter the command-li...
How severe is CVE-2021-41037?
CVE-2021-41037 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-41037?
Check the references section above for vendor advisories and patch information. Affected products include: Eclipse Equinox P2.