Merks

**Name of the Vulnerable Software and Affected Versions** Eclipse p2 (affected versions not specified) **Description** The issue concerns the Eclipse p2 installable units, which can alter the Eclipse Platform installation and the local machine via touchpoints during installation. These touchpoints can modify the command-line used to start the application, injecting settings that require particular attention in terms of security. Although Eclipse p2 has built-in strategies to ensure artifacts are signed, there is no such strategy for the metadata part that configures touchpoints. As a result, it's possible to install a unit that will run malicious code during installation without the user receiving any warning about this installation step being risky when coming from an untrusted source. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.