CVEs from 2018
Total
2,843
critical
critical 238
high
high 331
medium
medium 263
low
low 39
% Critical
8.4%
% with KEV
3.1%
% with exploit
9.1%
Top vendors
- intel 1,561
- schneider-electric 43
- siemens 42
- rockwellautomation 16
- echelon 15
- redhat 12
- oracle 9
- arm 9
Top products
- core_i7 379
- core_i5 375
- core_i3 242
- xeon_e5 82
- xeon_e7 62
- xeon_e3 58
- xeon_gold 33
- atom_z 30
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-1067 | unknown | — | — | 4y ago | Improper Neutralization of CRLF Sequences in HTTP Headers in Undertow | |||
| CVE-2018-14657 | unknown | — | — | 4y ago | Keycloak Improper Bruteforce Detection | |||
| CVE-2018-1048 | unknown | — | — | 4y ago | Improper Limitation of a Pathname to a Restricted Directory in Jboss EAP Undertow | |||
| CVE-2018-14642 | unknown | — | — | 4y ago | Exposure of Sensitive Information to an Unauthorized Actor in Undertow | |||
| CVE-2018-1190 | unknown | — | — | 4y ago | Pivotal Cloud Foundry UAA XSS on UAA OpenID Connect check session iframe endpoint | |||
| CVE-2018-14635 | unknown | — | — | 4y ago | When using the Linux bridge ml2 driver, non-privileged tenants are able to create and attach ports without specifying an IP address, bypassing IP address validation. A potential denial of service cou… | |||
| CVE-2018-1256 | unknown | — | — | 4y ago | Issuer validation regression in Spring Cloud SSO Connector | |||
| CVE-2018-1263 | unknown | — | — | 4y ago | spring-integration-zip Arbitrary File Write | |||
| CVE-2018-1262 | unknown | — | — | 4y ago | UAA privilege escalation across identity zones | |||
| CVE-2018-8012 | unknown | — | — | 4y ago | Missing Authorization in Apache ZooKeeper | |||
| CVE-2018-8088 | unknown | — | — | 4y ago | Improper Access Control in SLF4J | |||
| CVE-2018-1313 | unknown | — | — | 4y ago | Improper Access Control in Apache Derby | |||
| CVE-2018-1288 | unknown | — | — | 4y ago | Improper Control of Generation of Code in Apache Kafka | |||
| CVE-2018-1000067 | unknown | — | — | 4y ago | Server-Side Request Forgery in Jenkins | |||
| CVE-2018-1000192 | unknown | — | — | 4y ago | Exposure of Sensitive Information to an Unauthorized Actor in Jenkins | |||
| CVE-2018-1000193 | unknown | — | — | 4y ago | Injection in Jenkins | |||
| CVE-2018-1000068 | unknown | — | — | 4y ago | Exposure of Sensitive Information to an Unauthorized Actor in Jenkins | |||
| CVE-2018-1000194 | unknown | — | — | 4y ago | Path Traversal in Jenkins | |||
| CVE-2018-1000195 | unknown | — | — | 4y ago | Cross-Site Request Forgery in Jenkins | |||
| CVE-2018-6356 | unknown | — | — | 4y ago | Improper Limitation of a Pathname to a Restricted Directory in Jenkins | |||
| CVE-2018-5382 | unknown | — | — | 4y ago | Improper Validation of Integrity Check Value in Bouncy Castle | |||
| CVE-2018-1000073 | unknown | — | — | 4y ago | RubyGems Link Following vulnerability | |||
| CVE-2018-1000075 | unknown | — | — | 4y ago | RubyGems Infinite Loop vulnerability | |||
| CVE-2018-16886 | unknown | — | — | 4y ago | etcd versions 3.2.x before 3.2.26 and 3.3.x before 3.3.11 are vulnerable to an improper authentication issue when role-based access control (RBAC) is used and client-cert-auth is enabled. If an etcd … | |||
| CVE-2018-25031 | unknown | — | — | 4y ago | Spoofing attack in swagger-ui | |||
| CVE-2018-1098 | unknown | — | — | 4y ago | A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. An attacker can set up a website that tries to send a POST request to the etcd server and modify a key. Adding a key is done wit… | |||
| CVE-2018-1099 | unknown | — | — | 4y ago | DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attacker can control his DNS records to direct to localhost, and trick the browser into sending requests to localhost (or any other add… | |||
| CVE-2018-21234 | unknown | — | — | 4y ago | Deserialization of Untrusted Data in Jodd | |||
| CVE-2018-11764 | unknown | — | — | 4y ago | Authentication bypass in Apache Hadoop | |||
| CVE-2018-11802 | unknown | — | — | 4y ago | Incorrect Authorization in Apache Solr | |||
| CVE-2018-16153 | unknown | — | — | 5y ago | Opencast publishes global system account credentials | |||
| CVE-2018-11765 | unknown | — | — | 5y ago | Improper Authentication in Apache Hadoop | |||
| CVE-2018-25007 | unknown | — | — | 5y ago | Unauthorized client-side property update in UIDL request handler in Vaadin 10 and 11 | |||
| CVE-2018-1285 | unknown | — | — | 5y ago | Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled … | |||
| CVE-2018-5968 | unknown | — | — | 6y ago | FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization fl… | |||
| CVE-2018-10237 | unknown | — | — | 6y ago | Denial of Service in Google Guava | |||
| CVE-2018-15756 | unknown | — | — | 6y ago | Denial of Service in Spring Framework | |||
| CVE-2018-12023 | unknown | — | — | 6y ago | An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JD… | |||
| CVE-2018-19296 | unknown | — | — | 6y ago | PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack. | |||
| CVE-2018-11768 | unknown | — | — | 7y ago | user/group information can be corrupted across storing in fsimage and reading back from fsimage | |||
| CVE-2018-15890 | unknown | — | — | 7y ago | Deserialization of Untrusted Data in EthereumJ | |||
| CVE-2018-11307 | unknown | — | — | 7y ago | An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11… | |||
| CVE-2018-8029 | unknown | — | — | 7y ago | Privilege escalation vulnerability in Apache Hadoop | |||
| CVE-2018-17201 | unknown | — | — | 7y ago | Improper Input Validation in Apache Sanselan | |||
| CVE-2018-17202 | unknown | — | — | 7y ago | Infinite Loop in Apache Sanselan | |||
| CVE-2018-8035 | unknown | — | — | 7y ago | Cross-site Scripting in Apache UIMA | |||
| CVE-2018-1328 | unknown | — | — | 7y ago | Cross-site Scripting in Apache Zeppelin | |||
| CVE-2018-1317 | unknown | — | — | 7y ago | Improper Authentication in Apache Zeppelin | |||
| CVE-2018-12545 | unknown | — | — | 7y ago | Uncontrolled Resource Consumption in org.eclipse.jetty:jetty-server | |||
| CVE-2018-12022 | unknown | — | — | 7y ago | An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db j… | |||
| CVE-2018-11767 | unknown | — | — | 7y ago | Improper Privilege Management in org.apache.hadoop:hadoop-main | |||
| CVE-2018-1324 | unknown | — | — | 7y ago | Apache Commons Compress vulnerable to denial of service due to infinite loop | |||
| CVE-2018-1334 | unknown | — | — | 7y ago | Exposure of Sensitive Information to an Unauthorized Actor in Apache Spark | |||
| CVE-2018-8024 | unknown | — | — | 7y ago | Exposure of Sensitive Information to an Unauthorized Actor in Apache Spark via crafted URL | |||
| CVE-2018-11793 | unknown | — | — | 7y ago | Stack Overflow in Apache Mesos | |||
| CVE-2018-1296 | unknown | — | — | 7y ago | Exposure of Sensitive Information to an Unauthorized Actor in Hadoop | |||
| CVE-2018-20242 | unknown | — | — | 7y ago | Cross-site Scripting in jspwiki-war | |||
| CVE-2018-1320 | unknown | — | — | 8y ago | Improper Input Validation in Apache Thrift | |||
| CVE-2018-11798 | unknown | — | — | 8y ago | Apache Thrift Node.js static web server sandbox escape | |||
| CVE-2018-11787 | unknown | — | — | 8y ago | Improper Authentication in Apache Karaf | |||
| CVE-2018-11788 | unknown | — | — | 8y ago | XML External Entity Reference in Apache Karaf | |||
| CVE-2018-20433 | unknown | — | — | 8y ago | XML External Entity Reference in mchange:c3p0 | |||
| CVE-2018-14719 | unknown | — | — | 8y ago | FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deseriali… | |||
| CVE-2018-14720 | unknown | — | — | 8y ago | FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization. | |||
| CVE-2018-14721 | unknown | — | — | 8y ago | FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic de… | |||
| CVE-2018-19362 | unknown | — | — | 8y ago | FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization. | |||
| CVE-2018-19361 | unknown | — | — | 8y ago | FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization. | |||
| CVE-2018-19360 | unknown | — | — | 8y ago | FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization. | |||
| CVE-2018-14718 | unknown | — | — | 8y ago | FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization. | |||
| CVE-2018-18893 | unknown | — | — | 8y ago | Jinjava calls getClass | |||
| CVE-2018-20594 | unknown | — | — | 8y ago | Moderate severity vulnerability that affects org.hswebframework.web:hsweb-commons | |||
| CVE-2018-20595 | unknown | — | — | 8y ago | Cross-Site Request Forgery (CSRF) in hswebframework.web:hsweb-commons | |||
| CVE-2018-17197 | unknown | — | — | 8y ago | Apache Tika Denial of Service due to Infinite Loop in Tika's SQLite3Parser | |||
| CVE-2018-8009 | unknown | — | — | 8y ago | Path Traversal in Hadoop | |||
| CVE-2018-11766 | unknown | — | — | 8y ago | Arbitrary Command Execution in Hadoop | |||
| CVE-2018-11786 | unknown | — | — | 8y ago | Improper Privilege Management in Apache Karaf | |||
| CVE-2018-14637 | unknown | — | — | 8y ago | Improper Authentication in Keycloak | |||
| CVE-2018-1000844 | unknown | — | — | 8y ago | XML External Entity (XXE) vulnerability in Square Retrofit | |||
| CVE-2018-1000850 | unknown | — | — | 8y ago | Directory Traversal vulnerability in Square Retrofit | |||
| CVE-2018-1000873 | unknown | — | — | 8y ago | Moderate severity vulnerability that affects com.fasterxml.jackson.datatype:jackson-datatype-jsr353 | |||
| CVE-2018-1000854 | unknown | — | — | 8y ago | Remote Code Execution in esigate-core | |||
| CVE-2018-1000836 | unknown | — | — | 8y ago | XML External Entity (XXE) vulnerability in bw-calendar-engine | |||
| CVE-2018-17195 | unknown | — | — | 8y ago | Cleartext Transmission of Sensitive Information in Apache nifi | |||
| CVE-2018-17193 | unknown | — | — | 8y ago | Cross site scripting in org.apache.nifi:nifi | |||
| CVE-2018-17194 | unknown | — | — | 8y ago | Apache NiFi Improper Input Validation vulnerability | |||
| CVE-2018-17192 | unknown | — | — | 8y ago | Improper Restriction of Rendered UI Layers or Frames in Apache nifif | |||
| CVE-2018-1000823 | unknown | — | — | 8y ago | exist-db:exist-core XML External Entity (XXE) vulnerability | |||
| CVE-2018-1000822 | unknown | — | — | 8y ago | XML External Entity (XXE) vulnerability in codelibs fess | |||
| CVE-2018-1000820 | unknown | — | — | 8y ago | XML External Entity (XXE) vulnerability in neo4j.procedure:apoc | |||
| CVE-2018-15801 | unknown | — | — | 8y ago | Spring Security vulnerable to Authorization Bypass | |||
| CVE-2018-11799 | unknown | — | — | 8y ago | Moderate severity vulnerability that affects org.apache.oozie:oozie-core | |||
| CVE-2018-20094 | unknown | — | — | 8y ago | XXL-CONF Path Traversal vulnerability | |||
| CVE-2018-20000 | unknown | — | — | 8y ago | Improper Restriction of XML External Entity Reference in bedework:bw-webdav | |||
| CVE-2018-20059 | unknown | — | — | 8y ago | Improper Restriction of XML External Entity Reference in pippo-core | |||
| CVE-2018-19907 | unknown | — | — | 8y ago | OS Command Injection in craftercms:crafter-studio | |||
| CVE-2018-15795 | unknown | — | — | 8y ago | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Pivotal CredHub Service Broker | |||
| CVE-2018-11777 | unknown | — | — | 8y ago | Improper Authentication in hive:hive-exec | |||
| CVE-2018-1314 | unknown | — | — | 8y ago | Moderate severity vulnerability that affects org.apache.hive:hive-jdbc | |||
| CVE-2018-1282 | unknown | — | — | 8y ago | SQL Injection in hive-jdbc | |||
| CVE-2018-1284 | unknown | — | — | 8y ago | Exposure of Sensitive Information to an Unauthorized Actor in Apache hive |