Channel Accessible by Non-Endpoint

CVE-2021-41033

High

8.1/10

Summary

In all released versions of Eclipse Equinox, at least until version 4.21 (September 2021), installation can be vulnerable to man-in-the-middle attack if using p2 repos that are HTTP; that can then be exploited to serve incorrect p2 metadata and entirely alter the local installation, particularly by installing plug-ins that may then run malicious code.

Attack Complexity: HIGH
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-300 - Channel Accessible by Non-Endpoint

The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.

References

Advisory Timeline

Published Sep 13, 2021

Channel Accessible by Non-Endpoint

CVE-2021-41033

Summary

CWE-300 - Channel Accessible by Non-Endpoint

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS