CVE-2021-41034

CVE-2021-41034 is a high-severity vulnerability in Eclipse Che with a CVSS 3.x base score of 8.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-924.

Key facts

Description

The build of some language stacks of Eclipse Che version 6 includes pulling some binaries from an unsecured HTTP endpoint. As a consequence the builds of such stacks are vulnerable to MITM attacks that allow the replacement of the original binaries with arbitrary ones. The stacks involved are Java 8 (alpine and centos), Android and PHP. The vulnerability is not exploitable at runtime but only when building Che.

Frequently asked questions

What is CVE-2021-41034?
The build of some language stacks of Eclipse Che version 6 includes pulling some binaries from an unsecured HTTP endpoint. As a consequence the builds of such stacks are vulnerable to MITM attacks that allow the replacement of the original binaries with arbitrary ones. The stacks involved are Java 8 (alpine and centos), Android and PHP. The vulnerability is not exploitable at runtime but only when building Che.
How severe is CVE-2021-41034?
CVE-2021-41034 has a CVSS 3.x base score of 8.1, rated high severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2021-41034 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (31st percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2021-41034?
CVE-2021-41034 affects Eclipse Che. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2021-41034?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
When was CVE-2021-41034 published?
CVE-2021-41034 was published on 2021-09-29 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Eclipse Che

All CVEs affecting Eclipse Che →

Other CWE-924 vulnerabilities

Browse all CWE-924 vulnerabilities →