Eclipse Csi Pia
Monthly
Server-side request forgery and OIDC token forgery in Eclipse CSI PIA lets an unauthenticated attacker abuse a flawed Jenkins issuer allowlist (a bare `startswith('https://ci.eclipse.org')` check in `is_issuer_known`, pia/models.py:139) to redirect OIDC discovery and JWKS fetches to an attacker-controlled host. By posting a crafted issuer such as `https://ci.eclipse.org@evil.host` or `https://ci.eclipse.org.evil.host` to `POST /v1/upload/sbom`, an attacker forces PIA to make outbound requests to arbitrary hosts and to accept a JWT signed with the attacker's own key, effectively bypassing token verification. No public exploit identified at time of analysis, but the flaw is unauthenticated and network-reachable, and the CVSS 3.1 base score is 8.2.
Log injection in Eclipse CSI PIA's unauthenticated /v1/upload/sbom endpoint allows a remote attacker to plant forged authentication-success log entries that are byte-for-byte indistinguishable from genuine PIA audit events. PIA is an authentication broker whose logs are explicitly designated as the authoritative source for incident response (DESIGN.md §5.4), meaning the forgery directly subverts the audit trail the service exists to produce. No public exploit has been identified at time of analysis, but the attack requires no authentication and minimal technical sophistication.
Server-side request forgery and OIDC token forgery in Eclipse CSI PIA lets an unauthenticated attacker abuse a flawed Jenkins issuer allowlist (a bare `startswith('https://ci.eclipse.org')` check in `is_issuer_known`, pia/models.py:139) to redirect OIDC discovery and JWKS fetches to an attacker-controlled host. By posting a crafted issuer such as `https://ci.eclipse.org@evil.host` or `https://ci.eclipse.org.evil.host` to `POST /v1/upload/sbom`, an attacker forces PIA to make outbound requests to arbitrary hosts and to accept a JWT signed with the attacker's own key, effectively bypassing token verification. No public exploit identified at time of analysis, but the flaw is unauthenticated and network-reachable, and the CVSS 3.1 base score is 8.2.
Log injection in Eclipse CSI PIA's unauthenticated /v1/upload/sbom endpoint allows a remote attacker to plant forged authentication-success log entries that are byte-for-byte indistinguishable from genuine PIA audit events. PIA is an authentication broker whose logs are explicitly designated as the authoritative source for incident response (DESIGN.md §5.4), meaning the forgery directly subverts the audit trail the service exists to produce. No public exploit has been identified at time of analysis, but the attack requires no authentication and minimal technical sophistication.