1939630 – (CVE-2020-27225) CVE-2020-27225 eclipse: Help Subsystem does not authenticate active help requests

Bug 1939630 (CVE-2020-27225) - CVE-2020-27225 eclipse: Help Subsystem does not authenticate active help requests

Summary: CVE-2020-27225 eclipse: Help Subsystem does not authenticate active help requ...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-27225
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1939631 1943466
Blocks:	1939632
TreeView+	depends on / blocked

Reported:	2021-03-16 17:33 UTC by Pedro Sampaio
Modified:	2021-10-28 05:04 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2021-10-28 05:04:51 UTC
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2021-03-16 17:33:26 UTC

In versions 4.18 and earlier of the Eclipse Platform, the Help Subsystem does not authenticate active help requests to the local help web server, allowing an unauthenticated local attacker to issue active help commands to the associated Eclipse Platform process or Eclipse Rich Client Platform process.

References:

https://bugs.eclipse.org/bugs/show_bug.cgi?id=569855

Comment 1 Pedro Sampaio 2021-03-16 17:33:59 UTC

Created eclipse tracking bugs for this issue:

Affects: fedora-all [bug 1939631]

Note You need to log in before you can comment on or make changes to this bug.