Skip to main content

Eclipse Csi Pia

2 CVEs product

Monthly

CVE-2026-14336 HIGH This Week

Server-side request forgery and OIDC token forgery in Eclipse CSI PIA lets an unauthenticated attacker abuse a flawed Jenkins issuer allowlist (a bare `startswith('https://ci.eclipse.org')` check in `is_issuer_known`, pia/models.py:139) to redirect OIDC discovery and JWKS fetches to an attacker-controlled host. By posting a crafted issuer such as `https://ci.eclipse.org@evil.host` or `https://ci.eclipse.org.evil.host` to `POST /v1/upload/sbom`, an attacker forces PIA to make outbound requests to arbitrary hosts and to accept a JWT signed with the attacker's own key, effectively bypassing token verification. No public exploit identified at time of analysis, but the flaw is unauthenticated and network-reachable, and the CVSS 3.1 base score is 8.2.

SSRF Jenkins Eclipse Csi Pia
NVD
CVSS 3.1
8.2
EPSS
0.3%
CVE-2026-12616 MEDIUM This Month

Log injection in Eclipse CSI PIA's unauthenticated /v1/upload/sbom endpoint allows a remote attacker to plant forged authentication-success log entries that are byte-for-byte indistinguishable from genuine PIA audit events. PIA is an authentication broker whose logs are explicitly designated as the authoritative source for incident response (DESIGN.md §5.4), meaning the forgery directly subverts the audit trail the service exists to produce. No public exploit has been identified at time of analysis, but the attack requires no authentication and minimal technical sophistication.

Information Disclosure Eclipse Csi Pia
NVD
CVSS 4.0
6.9
EPSS
0.3%
EPSS 0% CVSS 8.2
HIGH This Week

Server-side request forgery and OIDC token forgery in Eclipse CSI PIA lets an unauthenticated attacker abuse a flawed Jenkins issuer allowlist (a bare `startswith('https://ci.eclipse.org')` check in `is_issuer_known`, pia/models.py:139) to redirect OIDC discovery and JWKS fetches to an attacker-controlled host. By posting a crafted issuer such as `https://ci.eclipse.org@evil.host` or `https://ci.eclipse.org.evil.host` to `POST /v1/upload/sbom`, an attacker forces PIA to make outbound requests to arbitrary hosts and to accept a JWT signed with the attacker's own key, effectively bypassing token verification. No public exploit identified at time of analysis, but the flaw is unauthenticated and network-reachable, and the CVSS 3.1 base score is 8.2.

SSRF Jenkins Eclipse Csi Pia
NVD
EPSS 0% CVSS 6.9
MEDIUM This Month

Log injection in Eclipse CSI PIA's unauthenticated /v1/upload/sbom endpoint allows a remote attacker to plant forged authentication-success log entries that are byte-for-byte indistinguishable from genuine PIA audit events. PIA is an authentication broker whose logs are explicitly designated as the authoritative source for incident response (DESIGN.md §5.4), meaning the forgery directly subverts the audit trail the service exists to produce. No public exploit has been identified at time of analysis, but the attack requires no authentication and minimal technical sophistication.

Information Disclosure Eclipse Csi Pia
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy