CVEs from 2017
Total
11,606
critical
critical 1,650
high
high 5,044
medium
medium 4,169
low
low 159
% Critical
14.2%
% with KEV
0.7%
% with exploit
9.9%
Top vendors
Top products
- imagemagick 1,426
- joomla\! 932
- kanboard 848
- ntp 762
- tomcat 676
- mahara 572
- postgresql 492
- asterisk 435
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-1000396 | unknown | — | — | 4y ago | Improper Certificate Validation in Jenkins | |||
| CVE-2017-1000394 | unknown | — | — | 4y ago | Improper Input Validation in Jenkins | |||
| CVE-2017-1000393 | unknown | — | — | 4y ago | OS Command Injection in Jenkins | |||
| CVE-2017-1000391 | unknown | — | — | 4y ago | Improper Input Validation in Jenkins | |||
| CVE-2017-1000392 | unknown | — | — | 4y ago | Improper Neutralization of Input During Web Page Generation in Jenkins | |||
| CVE-2017-15089 | unknown | — | — | 4y ago | Deserialization of Untrusted Data in Infinispan | |||
| CVE-2017-1000386 | unknown | — | — | 4y ago | Cross-site Scripting in Jenkins Active Choices plugin | |||
| CVE-2017-15719 | unknown | — | — | 4y ago | Cross-site Scripting in wicket-jquery-ui | |||
| CVE-2017-15691 | unknown | — | — | 4y ago | Improper Restriction of XML External Entity Reference in Apache uimaj | |||
| CVE-2017-9795 | unknown | — | — | 4y ago | Apache Geode OQL method invocation vulnerability | |||
| CVE-2017-1000190 | unknown | — | — | 4y ago | SimpleXML has XML External Entity (XXE) vulnerability | |||
| CVE-2017-1000426 | unknown | — | — | 4y ago | MapProxy version 1.10.3 and older is vulnerable to a Cross Site Scripting attack in the demo service resulting in possible information disclosure. | |||
| CVE-2017-18191 | unknown | — | — | 4y ago | An issue was discovered in OpenStack Nova 15.x through 15.1.0 and 16.x through 16.1.1. By detaching and reattaching an encrypted volume, an attacker may access the underlying raw volume and corrupt t… | |||
| CVE-2017-16653 | unknown | — | — | 4y ago | An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The current implementation of CSRF protection in Symfony (Version >=2) does not use different token… | |||
| CVE-2017-1000403 | unknown | — | — | 4y ago | Arbitrary code execution vulnerability in Jenkins Speaks! Plugin | |||
| CVE-2017-1000387 | unknown | — | — | 4y ago | Jenkins Build-Publisher plugin has Insufficiently Protected Credentials | |||
| CVE-2017-12165 | unknown | — | — | 4y ago | Undertow Request Smuggling vulnerability | |||
| CVE-2017-12196 | unknown | — | — | 4y ago | Incorrect Authorization in Undertow | |||
| CVE-2017-12197 | unknown | — | — | 4y ago | Improper Input Validation in libpam4j | |||
| CVE-2017-2602 | unknown | — | — | 4y ago | Incomplete List of Disallowed Inputs in Jenkins | |||
| CVE-2017-2598 | unknown | — | — | 4y ago | Inadequate Encryption Strength in Jenkins | |||
| CVE-2017-2589 | unknown | — | — | 4y ago | Insecure cookie sharing in Hawtio | |||
| CVE-2017-2600 | unknown | — | — | 4y ago | Exposure of Sensitive Information to an Unauthorized Actor in Jenkins | |||
| CVE-2017-2594 | unknown | — | — | 4y ago | Path Traversal in io.hawt:project | |||
| CVE-2017-2606 | unknown | — | — | 4y ago | Exposure of Sensitive Information to an Unauthorized Actor in Jenkins | |||
| CVE-2017-2612 | unknown | — | — | 4y ago | Incorrect Permission Assignment for Critical Resource in Jenkins | |||
| CVE-2017-2608 | unknown | — | — | 4y ago | Deserialization of Untrusted Data in Jenkins | |||
| CVE-2017-2610 | unknown | — | — | 4y ago | Improper Neutralization of Input During Web Page Generation in Jenkins | |||
| CVE-2017-2607 | unknown | — | — | 4y ago | Improper Neutralization of Input During Web Page Generation in Jenkins | |||
| CVE-2017-2603 | unknown | — | — | 4y ago | Exposure of Sensitive Information to an Unauthorized Actor in Jenkins | |||
| CVE-2017-2613 | unknown | — | — | 4y ago | Cross-Site Request Forgery in Jenkins | |||
| CVE-2017-2604 | unknown | — | — | 4y ago | Improper Authentication in Jenkins | |||
| CVE-2017-2609 | unknown | — | — | 4y ago | Exposure of Sensitive Information to an Unauthorized Actor in Jenkins | |||
| CVE-2017-2649 | unknown | — | — | 4y ago | Jenkins Active Directory Plugin did not verify certificate of AD server | |||
| CVE-2017-2638 | unknown | — | — | 4y ago | Infinispan Rest API Does Not Enforce Auth Constraints | |||
| CVE-2017-2648 | unknown | — | — | 4y ago | Jenkins SSH Build Agents Plugin did not verify host keys | |||
| CVE-2017-2651 | unknown | — | — | 4y ago | Exposure of Sensitive Information to an Unauthorized Actor in Jenkins-mailer-plugin | |||
| CVE-2017-2652 | unknown | — | — | 4y ago | Missing permission checks in Jenkins Distributed Fork Plugin | |||
| CVE-2017-2650 | unknown | — | — | 4y ago | Jenkins Pipeline Classpath Step plugin allowed Script Security sandbox bypass | |||
| CVE-2017-2654 | unknown | — | — | 4y ago | Emails were sent to addresses not associated with actual users of Jenkins by Email Extension Plugin | |||
| CVE-2017-3202 | unknown | — | — | 4y ago | Deserialization of Untrusted Data in Flamingo amf-serializer | |||
| CVE-2017-3203 | unknown | — | — | 4y ago | Deserialization of Untrusted Data in Spring-flex | |||
| CVE-2017-7545 | unknown | — | — | 4y ago | XML External Entity Reference in jbpmmigration | |||
| CVE-2017-7559 | unknown | — | — | 4y ago | Undertow vulnerable to Request Smuggling | |||
| CVE-2017-3199 | unknown | — | — | 4y ago | GraniteDS Insecure Deserialization | |||
| CVE-2017-3200 | unknown | — | — | 4y ago | GraniteDS Insecure Deserialization | |||
| CVE-2017-12610 | unknown | — | — | 4y ago | Improper Authentication in Apache Kafka | |||
| CVE-2017-1000390 | unknown | — | — | 4y ago | Jenkins Multijob plugin did not check permissions in the Resume Build action | |||
| CVE-2017-15695 | unknown | — | — | 4y ago | Apache Geode vulnerable to Incorrect Authorization | |||
| CVE-2017-1000388 | unknown | — | — | 4y ago | Jenkins Dependency Graph Viewer plugin vulnerable to missing permission checks | |||
| CVE-2017-1000400 | unknown | — | — | 4y ago | Missing Authorization in Jenkins | |||
| CVE-2017-2611 | unknown | — | — | 4y ago | Incorrect Authorization in Jenkins Core | |||
| CVE-2017-2599 | unknown | — | — | 4y ago | Incorrect Authorization in Jenkins | |||
| CVE-2017-1000487 | unknown | — | — | 4y ago | OS Command Injection in Plexus-utils | |||
| CVE-2017-12174 | unknown | — | — | 4y ago | Uncontrolled Resource Consumption in Artemis and HornetQ | |||
| CVE-2017-15709 | unknown | — | — | 4y ago | ActiveMQ's OpenWire protocol exposes certain system details as plain text | |||
| CVE-2017-7543 | unknown | — | — | 4y ago | A race-condition flaw was discovered in openstack-neutron before 7.2.0-12.1, 8.x before 8.3.0-11.1, 9.x before 9.3.1-2.1, and 10.x before 10.0.2-1.1, where, following a minor overcloud update, neutro… | |||
| CVE-2017-2673 | unknown | — | — | 4y ago | An authorization-check flaw was discovered in federation configurations of the OpenStack Identity service (keystone). An authenticated federated user could request permissions to a project and uninte… | |||
| CVE-2017-2601 | unknown | — | — | 4y ago | Cross-site Scripting in Jenkins | |||
| CVE-2017-17837 | unknown | — | — | 4y ago | Cross-site Scripting in Apache DeltaSpike | |||
| CVE-2017-15686 | unknown | — | — | 4y ago | Cross-site scripting in Crafter CMS Crafter Studio | |||
| CVE-2017-15684 | unknown | — | — | 4y ago | Path Traversal in Crafter CMS Crafter Studio | |||
| CVE-2017-15685 | unknown | — | — | 4y ago | XML Injection in Crafter CMS Crafter Studio 3.0.1 | |||
| CVE-2017-15681 | unknown | — | — | 4y ago | Path Traversal in Crafter CMS Crafter Studio | |||
| CVE-2017-8761 | unknown | — | — | 5y ago | In OpenStack Swift through 2.10.1, 2.11.0 through 2.13.0, and 2.14.0, the proxy-server logs full tempurl paths, potentially leaking reusable tempurl signatures to anyone with read access to these log… | |||
| CVE-2017-7957 | unknown | — | — | 6y ago | Denial of service in XStream | |||
| CVE-2017-7536 | unknown | — | — | 6y ago | Privilege Escalation in Hibernate Validator | |||
| CVE-2017-15703 | unknown | — | — | 7y ago | Denial of service via deserialization attack in nifi | |||
| CVE-2017-15694 | unknown | — | — | 7y ago | Argument Injection in Apache Geode server | |||
| CVE-2017-12619 | unknown | — | — | 7y ago | Session Fixation in Apache Zeppelin | |||
| CVE-2017-3164 | unknown | — | — | 7y ago | Server-Side Request Forgery (SSRF) in org.apache.solr:solr-core | |||
| CVE-2017-15718 | unknown | — | — | 8y ago | Exposure of Sensitive Information in Hadoop | |||
| CVE-2017-15713 | unknown | — | — | 8y ago | Moderate severity vulnerability that affects org.apache.hadoop:hadoop-main | |||
| CVE-2017-18239 | unknown | — | — | 8y ago | Exposure of Sensitive information in authentikat-jwt | |||
| CVE-2017-18349 | unknown | — | — | 8y ago | Improper Input Validation in alilibaba:fastjson | |||
| CVE-2017-2666 | unknown | — | — | 8y ago | Undertow-core vulnerable to HTTP Request Smuggling | |||
| CVE-2017-2670 | unknown | — | — | 8y ago | Moderate severity vulnerability that affects io.undertow:undertow-core | |||
| CVE-2017-1000498 | unknown | — | — | 8y ago | Android SVG vulnerable to XML External Entity (XXE) | |||
| CVE-2017-7658 | unknown | — | — | 8y ago | Jetty vulnerable to authorization bypass due to inconsistent HTTP request handling (HTTP Request Smuggling) | |||
| CVE-2017-7656 | unknown | — | — | 8y ago | Jetty vulnerable to cache poisoning due to inconsistent HTTP request handling (HTTP Request Smuggling) | |||
| CVE-2017-7657 | unknown | — | — | 8y ago | Critical severity vulnerability that affects org.eclipse.jetty:jetty-server | |||
| CVE-2017-17485 | unknown | — | — | 8y ago | FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploit… | |||
| CVE-2017-15095 | unknown | — | — | 8y ago | A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously craft… | |||
| CVE-2017-12161 | unknown | — | — | 8y ago | Moderate severity vulnerability that affects org.keycloak:keycloak-core | |||
| CVE-2017-2582 | unknown | — | — | 8y ago | keycloak-core discloses system properties | |||
| CVE-2017-2646 | unknown | — | — | 8y ago | Keycloak vulnerable to infinite loop based Denial of Service | |||
| CVE-2017-2585 | unknown | — | — | 8y ago | keycloak-core vulnerable to timing attacks against JWS token verification | |||
| CVE-2017-7525 | unknown | — | — | 8y ago | A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the malicious… | |||
| CVE-2017-16229 | unknown | — | — | 9y ago | In the Ox gem 2.8.1 for Ruby, the process crashes with a stack-based buffer over-read in the read_from_str function in sax_buf.c when a crafted input is supplied to sax_parse. |