Description
In versions 4.18 and earlier of the Eclipse Platform, the Help Subsystem does not authenticate active help requests to the local help web server, allowing an unauthenticated local attacker to issue active help commands to the associated Eclipse Platform process or Eclipse Rich Client Platform process.
References (1)
Core 1
Core References
Exploit, Issue Tracking, Patch, Vendor Advisory x_refsource_confirm
https://bugs.eclipse.org/bugs/show_bug.cgi?id=569855
Scores
CVSS v3
7.8
EPSS
0.0020
EPSS Percentile
41.6%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-306
Status
published
Products (1)
eclipse/platform
< 4.18
Published
Mar 09, 2021
Tracked Since
Feb 18, 2026