Eclipse Platform Vulnerability in p2 Allows Malicious Code Execution
CVE-2021-41037

10CRITICAL

Key Information:

Vendor: The Eclipse Foundation
Status: Eclipse Equinox P2
Vendor: CVE Published:; 8 July 2022

What is CVE-2021-41037?

A vulnerability in Eclipse p2 allows installable units to modify the Eclipse Platform installation unpredictably. This flaw can enable malicious actors to manipulate the installation process, leading to the execution of harmful code without the user being aware of the risks. While p2 includes measures for artifact signing to establish trust, it lacks equivalent strategies for the metadata associated with configuration, making it possible for unverified units to execute unauthorized commands. Users downloading software from untrusted sources might find their systems compromised without appropriate warnings regarding these risky operations.

Affected Version(s)

Eclipse Equinox p2 1.0.0 < 4.28

References

https://bugs.eclipse.org/bugs/show_bug.cgi?id=577029

x_refsource_CONFIRM

https://github.com/eclipse-equinox/p2/issues/235

patch

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jul 8, 2022
Vulnerability Reserved
Sep 13, 2021

The Eclipse Foundation

What is CVE-2021-41037?

Affected Version(s)

References

CVSS V3.1

Timeline