CVE-2021-41037

Name of the Vulnerable Software and Affected Versions Eclipse p2 (affected versions not specified)

Description The issue concerns the Eclipse p2 installable units, which can alter the Eclipse Platform installation and the local machine via touchpoints during installation. These touchpoints can modify the command-line used to start the application, injecting settings that require particular attention in terms of security. Although Eclipse p2 has built-in strategies to ensure artifacts are signed, there is no such strategy for the metadata part that configures touchpoints. As a result, it's possible to install a unit that will run malicious code during installation without the user receiving any warning about this installation step being risky when coming from an untrusted source.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.