CVE-2021-41037

Description

In Eclipse p2, installable units are able to alter the Eclipse Platform installation and the local machine via touchpoints during installation. Those touchpoints can, for example, alter the command-line used to start the application, injecting things like agent or other settings that usually require particular attention in term of security. Although p2 has built-in strategies to ensure artifacts are signed and then to help establish trust, there is no such strategy for the metadata part that does configure such touchpoints. As a result, it's possible to install a unit that will run malicious code during installation without user receiving any warning about this installation step being risky when coming from untrusted source.

Category

10.0
CVSS
Severity: Critical
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.29%
Vendor Advisory eclipse.org
Affected: The Eclipse Foundation Eclipse Equinox p2
Published at:
Updated at:

References

Link Tags
https://bugs.eclipse.org/bugs/show_bug.cgi?id=577029 vendor advisory mailing list
https://github.com/eclipse-equinox/p2/issues/235 patch

Frequently Asked Questions

What is the severity of CVE-2021-41037?
CVE-2021-41037 has been scored as a critical severity vulnerability.
How to fix CVE-2021-41037?
To fix CVE-2021-41037, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-41037 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2021-41037 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-41037?
CVE-2021-41037 affects The Eclipse Foundation Eclipse Equinox p2.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.