CVE-2021-41034
CVE-2021-41034 is a high-severity vulnerability in Eclipse Che with a CVSS 3.x base score of 8.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-924.
Key facts
- Severity: High (CVSS 3.x base score 8.1)
- CVSS v2: 6.8
- EPSS exploit prediction: 0% (31st percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-924
- Affected product: Eclipse Che
- Published:
- Last modified:
Description
The build of some language stacks of Eclipse Che version 6 includes pulling some binaries from an unsecured HTTP endpoint. As a consequence the builds of such stacks are vulnerable to MITM attacks that allow the replacement of the original binaries with arbitrary ones. The stacks involved are Java 8 (alpine and centos), Android and PHP. The vulnerability is not exploitable at runtime but only when building Che.
Frequently asked questions
- What is CVE-2021-41034?
- The build of some language stacks of Eclipse Che version 6 includes pulling some binaries from an unsecured HTTP endpoint. As a consequence the builds of such stacks are vulnerable to MITM attacks that allow the replacement of the original binaries with arbitrary ones. The stacks involved are Java 8 (alpine and centos), Android and PHP. The vulnerability is not exploitable at runtime but only when building Che.
- How severe is CVE-2021-41034?
- CVE-2021-41034 has a CVSS 3.x base score of 8.1, rated high severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2021-41034 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (31st percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2021-41034?
- CVE-2021-41034 affects Eclipse Che. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2021-41034?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2021-41034 published?
- CVE-2021-41034 was published on 2021-09-29 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:a:eclipse:che:*:*:*:*:*:*:*:*
More vulnerabilities in Eclipse Che
- CVE-2019-17633 — High (CVSS 8.8): For Eclipse Che versions 6.16 to 7.3.0, with both authentication and TLS disabled, visiting a malicious web site could…
- CVE-2020-14368 — High (CVSS 7.1): A flaw was found in Eclipse Che in versions prior to 7.14.0 that impacts CodeReady Workspaces. When configured with…
- CVE-2020-10689 — Medium (CVSS 6.4): A flaw was found in the Eclipse Che up to version 7.8.x, where it did not properly restrict access to workspace pods.…
All CVEs affecting Eclipse Che →
Other CWE-924 vulnerabilities
- CVE-2025-29628 — Critical (CVSS 9.4): A Gardyn Azure IoT Hub connection string is downloaded over an insecure HTTP connection in Gardyn Home Kit firmware…
- CVE-2024-44730 — Critical (CVSS 9.1): Incorrect access control in the function handleDataChannelChat(dataMessage) of Mirotalk before commit c21d58 allows…
- CVE-2020-5869 — Critical (CVSS 9.1): In BIG-IQ 5.2.0-7.0.0, high availability (HA) synchronization is not secure by TLS and may allow on-path attackers to…
- CVE-2025-0592 — High (CVSS 8.8): The vulnerability may allow a remote low priviledged attacker to run arbitrary shell commands by manipulating the…
- CVE-2019-25719 — High (CVSS 8.6): Dräger Infinity Acute Care System and Standalone Infinity M540 patient monitors running software versions VG4.1.1,…
- CVE-2021-34793 — High (CVSS 8.6): A vulnerability in the TCP Normalizer of Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense…