technology.omr

The Eclipse Foundation is a Common Vulnerabilities and Exposures (CVE) Numbering Authority. This issue it used to request and track the progress of the assignment of a CVE for a vulnerability in the project code for an Eclipse open source project.

Basic information

Project name: Eclipse OMR

Project id: technology.omr

Request type: publication

Versions affected: [Initial - 0.4.0]

Common Weakness Enumeration:

• CWE-476

Common Vulnerability Scoring System: {cvss}

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Summary:

In Eclipse OMR, from the initial contribution to version 0.4.0, some OMR internal port library and utilities consumers of z/OS atoe functions do not check their return values for NULL memory pointers or for memory allocation failures. This can lead to NULL pointer dereference crashes. Beginning in version 0.5.0, internal OMR consumers of atoe functions handle NULL return values and memory allocation failures correctly.

Links:

• https://github.com/eclipse-omr/omr/pull/7655
• https://github.com/eclipse-omr/omr/pull/7663

Tracking

This section will completed by the project team.

• Reserve an entry only
• We're ready for this issue to be reported to the central authority (i.e., make this public now)
• (when applicable) The GitHub Security Advisory is ready to be published now

Note that for those projects that host their repositories on GitHub, the use of GitHub Security Advisories is recommended but is not required.

This section will be completed by the EMO.

CVE: {cve}

• All required information is provided
• CVE Assigned
• Pushed to Mitre
• Accepted by Mitre

changed the description

changed the description

changed the description

The reserved ID for this one is CVE-2025-1470

added cvereserved label

changed the description

Prepared the following CVE entry:

@dmaier could you please double check this before we move on to publish it?

I created a score before noticing you updated with one yourself. We use CVSS version 4.0, it slightly differs from yours. The CVSS score I added for this entry is this: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N, please let me know if you would like to modify it.

Also please let me know if you would like anything else added, such as package name, credits, any release info, etc. Thanks!

I think your v4 score is fine, so you can proceed and use that instead of mine. Otherwise, I don't have anything else to add. Please go ahead and publish.

removed cvereserved label

added cvepublished label

The CVE has been published, removing confidentiality.

made the issue visible to everyone

closed

changed the description