Missing authentication for critical function in Eclipse Platform - CVE-2020-27225
Published: March 2, 2021 / Updated: March 17, 2021
Vulnerability identifier: #VU51016
CSH Severity: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2020-27225
CWE-ID: CWE-306
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Eclipse Platform
Eclipse Platform
Software vendor:
Eclipse
Eclipse
Description
The vulnerability allows a remote attacker to perform unauthorized actions against the application.
The vulnerability exists due to missing authentication when processing Active help requests to the local help web server. A remote non-authenticated attacker can send active help commands to the associated Eclipse platform process or Eclipse Rich Client Platform process.
Successful exploitation of the vulnerability may allow an attacker to read and modify data within the application, create or overwrite files on the system and perform a denial of service attack.
Remediation
Install update from vendor's website.