CVEs from 2019
Total
3,164
critical
critical 231
high
high 484
medium
medium 484
low
low 94
% Critical
7.3%
% with KEV
3.7%
% with exploit
8.0%
Top vendors
- intel 246
- schneider-electric 117
- netapp 61
- siemens 58
- oracle 36
- hp 23
- denx 20
- phoenixcontact 9
Top products
- u-boot 20
- crimson 8
- active_iq_unified_manager 7
- weblogic_server 5
- jdk 5
- oncommand_workflow_automation 5
- codeready_linux_builder_eus 4
- oncommand_insight 4
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-10913 | unknown | — | — | 7y ago | In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted inpu… | |||
| CVE-2019-18886 | unknown | — | — | 7y ago | An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthor… | |||
| CVE-2019-18888 | unknown | — | — | 7y ago | An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIM… | |||
| CVE-2019-18889 | unknown | — | — | 7y ago | An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is rel… | |||
| CVE-2019-10212 | unknown | — | — | 7y ago | Potential to access user credentials from the log files when debug logging enabled | |||
| CVE-2019-10910 | unknown | — | — | 7y ago | In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code exec… | |||
| CVE-2019-0207 | unknown | — | — | 7y ago | Path traversal attack on Windows platforms | |||
| CVE-2019-10909 | unknown | — | — | 7y ago | In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. Th… | |||
| CVE-2019-12406 | unknown | — | — | 7y ago | Potential DOS attack due to unrestricted attachment count in messages | |||
| CVE-2019-12419 | unknown | — | — | 7y ago | Potential session hijack in Apache CXF | |||
| CVE-2019-10755 | unknown | — | — | 7y ago | Use of Cryptographically Weak Pseudo-Random Number Generator in org.pac4j:pac4j-saml | |||
| CVE-2019-11284 | unknown | — | — | 7y ago | Insufficiently Protected Credentials in Pivotal Reactor Netty | |||
| CVE-2019-17513 | unknown | — | — | 7y ago | io.ratpack:ratpack-core vulnerable to Improper Neutralization of Special Elements in Output ('Injection') | |||
| CVE-2019-17359 | unknown | — | — | 7y ago | Out-of-Memory Error in Bouncy Castle Crypto | |||
| CVE-2019-17195 | unknown | — | — | 7y ago | Improper Check for Unusual or Exceptional Conditions in Connect2id Nimbus JOSE+JWT | |||
| CVE-2019-17495 | unknown | — | — | 7y ago | Cross-site scripting in Swagger-UI | |||
| CVE-2019-17545 | unknown | — | — | 7y ago | GDAL through 3.0.1 has a poolDestroy double free in OGRExpatRealloc in ogr/ogr_expat.cpp when the 10MB threshold is exceeded. | |||
| CVE-2019-12404 | unknown | — | — | 7y ago | Cross-site scripting in Apache JSPWiki | |||
| CVE-2019-10089 | unknown | — | — | 7y ago | Cross-site scripting in Apache JSPWiki | |||
| CVE-2019-10087 | unknown | — | — | 7y ago | Cross-site scripting in Apache JSPWiki | |||
| CVE-2019-10090 | unknown | — | — | 7y ago | Cross-site scripting in Apache JSPWiki | |||
| CVE-2019-16869 | unknown | — | — | 7y ago | HTTP Request Smuggling in Netty | |||
| CVE-2019-12402 | unknown | — | — | 7y ago | Denial of Service in Apache Commons Compress | |||
| CVE-2019-10071 | unknown | — | — | 7y ago | Timing attack on HMAC signature comparison in Apache Tapestry | |||
| CVE-2019-16148 | unknown | — | — | 7y ago | Cross-site scripting in Sakai | |||
| CVE-2019-10199 | unknown | — | — | 7y ago | Improper Input Validation and Cross-Site Request Forgery in Keycloak | |||
| CVE-2019-10201 | unknown | — | — | 7y ago | Improper Verification of Cryptographic Signature in keycloak | |||
| CVE-2019-11777 | unknown | — | — | 7y ago | Improper Handling of Exceptional Conditions and Origin Validation Error in Eclipse Paho Java client library | |||
| CVE-2019-10753 | unknown | — | — | 7y ago | Incorrect Resource Transfer Between Spheres in eclipse-wtp | |||
| CVE-2019-5475 | unknown | — | — | 7y ago | OS Command Injection in Nexus Yum Repository Plugin | |||
| CVE-2019-12400 | unknown | — | — | 7y ago | Improper input validation in Apache Santuario XML Security for Java | |||
| CVE-2019-15477 | unknown | — | — | 7y ago | Cross-site Scripting in Jooby | |||
| CVE-2019-15488 | unknown | — | — | 7y ago | Cross-site Scripting in Ignite Realtime Openfire | |||
| CVE-2019-16137 | unknown | — | — | 7y ago | An issue was discovered in the spin crate before 0.5.2 for Rust, when RwLock is used. Because memory ordering is mishandled, two writers can acquire the lock at the same time, violating mutual exclus… | |||
| CVE-2019-12397 | unknown | — | — | 7y ago | Cross-site scripting in Apache Ranger | |||
| CVE-2019-10099 | unknown | — | — | 7y ago | Sensitive data written to disk unencrypted in Spark | |||
| CVE-2019-10088 | unknown | — | — | 7y ago | Allocation of Resources Without Limits or Throttling in Apache Tika | |||
| CVE-2019-10093 | unknown | — | — | 7y ago | Allocation of Resources Without Limits or Throttling in Apache Tika | |||
| CVE-2019-10094 | unknown | — | — | 7y ago | Allocation of Resources Without Limits or Throttling in Apache Tika | |||
| CVE-2019-10184 | unknown | — | — | 7y ago | Undertow Missing Authorization when requesting a protected directory without trailing slash | |||
| CVE-2019-14439 | unknown | — | — | 7y ago | Deserialization of untrusted data in FasterXML jackson-databind | |||
| CVE-2019-14379 | unknown | — | — | 7y ago | Deserialization of untrusted data in FasterXML jackson-databind | |||
| CVE-2019-10173 | unknown | — | — | 7y ago | Deserialization of Untrusted Data and Code Injection in xstream | |||
| CVE-2019-0228 | unknown | — | — | 7y ago | Vulnerability that affects org.apache.pdfbox:pdfbox | |||
| CVE-2019-9827 | unknown | — | — | 7y ago | Server-Side Request Forgery in Hawt Hawtio | |||
| CVE-2019-9843 | unknown | — | — | 7y ago | Improper Restriction of XML External Entity Reference in DiffPlug Spotless | |||
| CVE-2019-3875 | unknown | — | — | 7y ago | Improper Certificate Validation and Insufficient Verification of Data Authenticity in Keycloak | |||
| CVE-2019-11272 | unknown | — | — | 7y ago | Insufficiently Protected Credentials and Improper Authentication in Spring Security | |||
| CVE-2019-10072 | unknown | — | — | 7y ago | The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDA… | |||
| CVE-2019-5442 | unknown | — | — | 7y ago | XML Entity Expansion in Pippo | |||
| CVE-2019-3888 | unknown | — | — | 7y ago | Credential exposure through log files in Undertow | |||
| CVE-2019-12741 | unknown | — | — | 7y ago | Cross-site Scripting in HAPI FHIR | |||
| CVE-2019-10078 | unknown | — | — | 7y ago | Cross-site Scriptin in JSPWiki | |||
| CVE-2019-10077 | unknown | — | — | 7y ago | Cross-site Scripting in JSPWiki | |||
| CVE-2019-10076 | unknown | — | — | 7y ago | Cross-Site Scripting in JSPWiki | |||
| CVE-2019-3802 | unknown | — | — | 7y ago | Improper Neutralization of Wildcards or Matching Symbols | |||
| CVE-2019-0201 | unknown | — | — | 7y ago | Access control bypass in Apache ZooKeeper | |||
| CVE-2019-0188 | unknown | — | — | 7y ago | XML External Entity injection in Apache Camel | |||
| CVE-2019-3797 | unknown | — | — | 7y ago | Exposure of Sensitive Information to an Unauthorized Actor and SQL Injection in Spring Data JPA | |||
| CVE-2019-11808 | unknown | — | — | 7y ago | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Ratpack | |||
| CVE-2019-0213 | unknown | — | — | 7y ago | Cross-site scripting in Apache Archiva | |||
| CVE-2019-0214 | unknown | — | — | 7y ago | Improper Input Validation in Apache Archiva | |||
| CVE-2019-0194 | unknown | — | — | 7y ago | Path Traversal in Apache Camel | |||
| CVE-2019-3868 | unknown | — | — | 7y ago | Exposure of Sensitive Information to an Unauthorized Actor in Keycloak | |||
| CVE-2019-15542 | unknown | — | — | 7y ago | An issue was discovered in the ammonia crate before 2.1.0 for Rust. There is uncontrolled recursion during HTML DOM tree serialization. | |||
| CVE-2019-10246 | unknown | — | — | 7y ago | Information Exposure vulnerability in Eclipse Jetty | |||
| CVE-2019-10247 | unknown | — | — | 7y ago | Installation information leak in Eclipse Jetty | |||
| CVE-2019-10241 | unknown | — | — | 7y ago | Cross-site Scripting in Eclipse Jetty | |||
| CVE-2019-5427 | unknown | — | — | 7y ago | Billion laughs attack in c3p0 | |||
| CVE-2019-11404 | unknown | — | — | 7y ago | Missing Encryption of Sensitive Data in arrow-kt Arrow | |||
| CVE-2019-10686 | unknown | — | — | 7y ago | Server-Side Request Forgery (SSRF) in com.ctrip.framework.apollo:apollo | |||
| CVE-2019-3795 | unknown | — | — | 7y ago | Spring Security uses insufficiently random values | |||
| CVE-2019-10240 | unknown | — | — | 7y ago | Cleartext Transmission of Sensitive Information, Inclusion of Functionality from Untrusted Control Sphere , and Download of Code Without Integrity Check in Eclipse hawkBit | |||
| CVE-2019-0225 | unknown | — | — | 7y ago | Improper Limitation of a Pathname ('Path Traversal') in org.apache.jspwiki:jspwiki-war | |||
| CVE-2019-1010260 | unknown | — | — | 7y ago | High severity vulnerability that affects com.github.shyiko.ktlint:ktlint-core | |||
| CVE-2019-0212 | unknown | — | — | 7y ago | Improper Authorization in org.apache.hbase:hbase | |||
| CVE-2019-0224 | unknown | — | — | 7y ago | Moderate severity vulnerability that affects org.apache.jspwiki:jspwiki-main | |||
| CVE-2019-0222 | unknown | — | — | 7y ago | Improper Control of Generation of Code ('Code Injection') in org.apache.activemq:activemq-client | |||
| CVE-2019-10648 | unknown | — | — | 7y ago | Robocode through 1.9.3.5 allows remote attackers to cause external service interaction (DNS), as demonstrated by a query for a unique subdomain name within an attacker-controlled DNS zone, because of… | |||
| CVE-2019-0191 | unknown | — | — | 7y ago | Moderate severity vulnerability that affects org.apache.karaf:apache-karaf and org.apache.karaf:karaf | |||
| CVE-2019-0192 | unknown | — | — | 7y ago | Critical severity vulnerability that affects org.apache.solr:solr-core | |||
| CVE-2019-9658 | unknown | — | — | 7y ago | Moderate severity vulnerability that affects com.puppycrawl.tools:checkstyle | |||
| CVE-2019-0200 | unknown | — | — | 7y ago | Improper Input Validation in Apache Qpid Broker-J | |||
| CVE-2019-0187 | unknown | — | — | 7y ago | Unauthenticated Remote Code Execution in Apache JMeter | |||
| CVE-2019-9212 | unknown | — | — | 7y ago | Incomplete List of Disallowed Inputs in SOFA-Hessian | |||
| CVE-2019-9142 | unknown | — | — | 7y ago | Moderate severity vulnerability that affects org.b3log:symphony | |||
| CVE-2019-3774 | unknown | — | — | 8y ago | Low severity vulnerability that affects org.springframework.batch:spring-batch-core | |||
| CVE-2019-3773 | unknown | — | — | 8y ago | Vulnerability that affects org.springframework.ws:spring-ws and org.springframework.ws:spring-xml | |||
| CVE-2019-3772 | unknown | — | — | 8y ago | Improper Restriction of XML External Entity Reference in org.springframework.integration:spring-integration-ws and org.springframework.integration:spring-integration-xml |