CVEs from 2019
Total
3,162
critical
critical 238
high
high 484
medium
medium 485
low
low 95
% Critical
7.5%
% with KEV
3.7%
% with exploit
8.0%
Top vendors
- intel 246
- schneider-electric 117
- netapp 61
- siemens 58
- oracle 36
- hp 23
- denx 20
- phoenixcontact 9
Top products
- u-boot 20
- crimson 8
- active_iq_unified_manager 7
- weblogic_server 5
- jdk 5
- oncommand_workflow_automation 5
- codeready_linux_builder_eus 4
- oncommand_insight 4
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-25028 | unknown | — | — | 5y ago | Stored cross-site scripting in Grid component in Vaadin 7 and 8 | |||
| CVE-2019-17638 | unknown | — | — | 6y ago | Operation on a Resource after Expiration or Release in Jetty Server | |||
| CVE-2019-13990 | unknown | — | — | 6y ago | XML external entity injection in Terracotta Quartz Scheduler | |||
| CVE-2019-17572 | unknown | — | — | 6y ago | Directory traversal in Apache RocketMQ | |||
| CVE-2019-2692 | unknown | — | — | 6y ago | Privilege escalation in mysql-connector-jav | |||
| CVE-2019-17267 | unknown | — | — | 6y ago | A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. | |||
| CVE-2019-17570 | unknown | — | — | 6y ago | Insecure Deserialization in Apache XML-RPC | |||
| CVE-2019-17573 | unknown | — | — | 6y ago | Reflected Cross-Site Scripting in Apache CXF | |||
| CVE-2019-12423 | unknown | — | — | 6y ago | Private key leak in Apache CXF | |||
| CVE-2019-14893 | unknown | — | — | 6y ago | A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when u… | |||
| CVE-2019-14892 | unknown | — | — | 6y ago | A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 … | |||
| CVE-2019-12399 | unknown | — | — | 6y ago | Exposure of Sensitive Information to an Unauthorized Actor in Apache Kafka | |||
| CVE-2019-14820 | unknown | — | — | 6y ago | Exposure of Sensitive Information to an Unauthorized Actor in Keycloak | |||
| CVE-2019-19135 | unknown | — | — | 6y ago | Insufficient Nonce Validation in Eclipse Milo Client | |||
| CVE-2019-17569 | unknown | — | — | 6y ago | The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were … | |||
| CVE-2019-20444 | unknown | — | — | 6y ago | HTTP Request Smuggling in Netty | |||
| CVE-2019-20445 | unknown | — | — | 6y ago | HTTP Request Smuggling in Netty | |||
| CVE-2019-19703 | unknown | — | — | 6y ago | URL Redirection to Untrusted Site (Open Redirect) in Ktor | |||
| CVE-2019-10911 | unknown | — | — | 6y ago | In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would allow an attacker to authenticate as a privileged user on sites with… | |||
| CVE-2019-10912 | unknown | — | — | 6y ago | In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this coul… | |||
| CVE-2019-11325 | unknown | — | — | 6y ago | An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrar… | |||
| CVE-2019-10172 | unknown | — | — | 6y ago | Improper Restriction of XML External Entity Reference in jackson-mapper-asl | |||
| CVE-2019-17556 | unknown | — | — | 6y ago | Deserialization of Untrusted Data in Apache Olingo | |||
| CVE-2019-17555 | unknown | — | — | 6y ago | Improper input validation in Apache Olingo | |||
| CVE-2019-12422 | unknown | — | — | 6y ago | Improper input validation in Apache Shiro | |||
| CVE-2019-10782 | unknown | — | — | 6y ago | XML external entity (XXE) processing ('external-parameter-entities' feature was not fully disabled)) | |||
| CVE-2019-10770 | unknown | — | — | 6y ago | Default development error handler in Ratpack is vulnerable to HTML content injection (XSS) | |||
| CVE-2019-10158 | unknown | — | — | 7y ago | Improper implementation of the session fixation protection in Infinispan | |||
| CVE-2019-10070 | unknown | — | — | 7y ago | Stored XSS in Apache Atlas | |||
| CVE-2019-10219 | unknown | — | — | 7y ago | The SafeHtml annotation in Hibernate-Validator does not properly guard against XSS attacks | |||
| CVE-2019-12418 | unknown | — | — | 7y ago | When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration f… | |||
| CVE-2019-17563 | unknown | — | — | 7y ago | When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The wind… | |||
| CVE-2019-12421 | unknown | — | — | 7y ago | Apache NiFi user log out issue | |||
| CVE-2019-10083 | unknown | — | — | 7y ago | Apache NiFi process group information disclosure | |||
| CVE-2019-10080 | unknown | — | — | 7y ago | Apache NiFi information disclosure by XXE | |||
| CVE-2019-17632 | unknown | — | — | 7y ago | Unescaped exception messages in error responses in Jetty | |||
| CVE-2019-10913 | unknown | — | — | 7y ago | In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted inpu… | |||
| CVE-2019-18886 | unknown | — | — | 7y ago | An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthor… | |||
| CVE-2019-18888 | unknown | — | — | 7y ago | An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIM… | |||
| CVE-2019-18889 | unknown | — | — | 7y ago | An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is rel… | |||
| CVE-2019-10212 | unknown | — | — | 7y ago | Potential to access user credentials from the log files when debug logging enabled | |||
| CVE-2019-10910 | unknown | — | — | 7y ago | In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code exec… | |||
| CVE-2019-0207 | unknown | — | — | 7y ago | Path traversal attack on Windows platforms | |||
| CVE-2019-10909 | unknown | — | — | 7y ago | In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. Th… | |||
| CVE-2019-12406 | unknown | — | — | 7y ago | Potential DOS attack due to unrestricted attachment count in messages | |||
| CVE-2019-12419 | unknown | — | — | 7y ago | Potential session hijack in Apache CXF | |||
| CVE-2019-10755 | unknown | — | — | 7y ago | Use of Cryptographically Weak Pseudo-Random Number Generator in org.pac4j:pac4j-saml | |||
| CVE-2019-11284 | unknown | — | — | 7y ago | Insufficiently Protected Credentials in Pivotal Reactor Netty | |||
| CVE-2019-17513 | unknown | — | — | 7y ago | io.ratpack:ratpack-core vulnerable to Improper Neutralization of Special Elements in Output ('Injection') | |||
| CVE-2019-17359 | unknown | — | — | 7y ago | Out-of-Memory Error in Bouncy Castle Crypto | |||
| CVE-2019-17195 | unknown | — | — | 7y ago | Improper Check for Unusual or Exceptional Conditions in Connect2id Nimbus JOSE+JWT | |||
| CVE-2019-17495 | unknown | — | — | 7y ago | Cross-site scripting in Swagger-UI | |||
| CVE-2019-17545 | unknown | — | — | 7y ago | GDAL through 3.0.1 has a poolDestroy double free in OGRExpatRealloc in ogr/ogr_expat.cpp when the 10MB threshold is exceeded. | |||
| CVE-2019-12404 | unknown | — | — | 7y ago | Cross-site scripting in Apache JSPWiki | |||
| CVE-2019-10089 | unknown | — | — | 7y ago | Cross-site scripting in Apache JSPWiki | |||
| CVE-2019-10087 | unknown | — | — | 7y ago | Cross-site scripting in Apache JSPWiki | |||
| CVE-2019-10090 | unknown | — | — | 7y ago | Cross-site scripting in Apache JSPWiki | |||
| CVE-2019-16869 | unknown | — | — | 7y ago | HTTP Request Smuggling in Netty | |||
| CVE-2019-12402 | unknown | — | — | 7y ago | Denial of Service in Apache Commons Compress | |||
| CVE-2019-10071 | unknown | — | — | 7y ago | Timing attack on HMAC signature comparison in Apache Tapestry | |||
| CVE-2019-16148 | unknown | — | — | 7y ago | Cross-site scripting in Sakai | |||
| CVE-2019-10199 | unknown | — | — | 7y ago | Improper Input Validation and Cross-Site Request Forgery in Keycloak | |||
| CVE-2019-10201 | unknown | — | — | 7y ago | Improper Verification of Cryptographic Signature in keycloak | |||
| CVE-2019-11777 | unknown | — | — | 7y ago | Improper Handling of Exceptional Conditions and Origin Validation Error in Eclipse Paho Java client library | |||
| CVE-2019-10753 | unknown | — | — | 7y ago | Incorrect Resource Transfer Between Spheres in eclipse-wtp | |||
| CVE-2019-5475 | unknown | — | — | 7y ago | OS Command Injection in Nexus Yum Repository Plugin | |||
| CVE-2019-12400 | unknown | — | — | 7y ago | Improper input validation in Apache Santuario XML Security for Java | |||
| CVE-2019-15477 | unknown | — | — | 7y ago | Cross-site Scripting in Jooby | |||
| CVE-2019-15488 | unknown | — | — | 7y ago | Cross-site Scripting in Ignite Realtime Openfire | |||
| CVE-2019-16137 | unknown | — | — | 7y ago | An issue was discovered in the spin crate before 0.5.2 for Rust, when RwLock is used. Because memory ordering is mishandled, two writers can acquire the lock at the same time, violating mutual exclus… | |||
| CVE-2019-12397 | unknown | — | — | 7y ago | Cross-site scripting in Apache Ranger | |||
| CVE-2019-10099 | unknown | — | — | 7y ago | Sensitive data written to disk unencrypted in Spark | |||
| CVE-2019-10088 | unknown | — | — | 7y ago | Allocation of Resources Without Limits or Throttling in Apache Tika | |||
| CVE-2019-10093 | unknown | — | — | 7y ago | Allocation of Resources Without Limits or Throttling in Apache Tika | |||
| CVE-2019-10094 | unknown | — | — | 7y ago | Allocation of Resources Without Limits or Throttling in Apache Tika | |||
| CVE-2019-10184 | unknown | — | — | 7y ago | Undertow Missing Authorization when requesting a protected directory without trailing slash | |||
| CVE-2019-14439 | unknown | — | — | 7y ago | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally e… | |||
| CVE-2019-14379 | unknown | — | — | 7y ago | SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), lead… | |||
| CVE-2019-10173 | unknown | — | — | 7y ago | Deserialization of Untrusted Data and Code Injection in xstream | |||
| CVE-2019-0228 | unknown | — | — | 7y ago | Vulnerability that affects org.apache.pdfbox:pdfbox | |||
| CVE-2019-9827 | unknown | — | — | 7y ago | Server-Side Request Forgery in Hawt Hawtio | |||
| CVE-2019-9843 | unknown | — | — | 7y ago | Improper Restriction of XML External Entity Reference in DiffPlug Spotless | |||
| CVE-2019-3875 | unknown | — | — | 7y ago | Improper Certificate Validation and Insufficient Verification of Data Authenticity in Keycloak | |||
| CVE-2019-11272 | unknown | — | — | 7y ago | Insufficiently Protected Credentials and Improper Authentication in Spring Security | |||
| CVE-2019-10072 | unknown | — | — | 7y ago | The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDA… | |||
| CVE-2019-5442 | unknown | — | — | 7y ago | XML Entity Expansion in Pippo | |||
| CVE-2019-3888 | unknown | — | — | 7y ago | Credential exposure through log files in Undertow | |||
| CVE-2019-12741 | unknown | — | — | 7y ago | Cross-site Scripting in HAPI FHIR | |||
| CVE-2019-10078 | unknown | — | — | 7y ago | Cross-site Scriptin in JSPWiki | |||
| CVE-2019-10077 | unknown | — | — | 7y ago | Cross-site Scripting in JSPWiki | |||
| CVE-2019-10076 | unknown | — | — | 7y ago | Cross-Site Scripting in JSPWiki | |||
| CVE-2019-3802 | unknown | — | — | 7y ago | Improper Neutralization of Wildcards or Matching Symbols | |||
| CVE-2019-0201 | unknown | — | — | 7y ago | Access control bypass in Apache ZooKeeper | |||
| CVE-2019-0188 | unknown | — | — | 7y ago | XML External Entity injection in Apache Camel | |||
| CVE-2019-3797 | unknown | — | — | 7y ago | Exposure of Sensitive Information to an Unauthorized Actor and SQL Injection in Spring Data JPA | |||
| CVE-2019-11808 | unknown | — | — | 7y ago | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Ratpack | |||
| CVE-2019-0213 | unknown | — | — | 7y ago | Cross-site scripting in Apache Archiva | |||
| CVE-2019-0214 | unknown | — | — | 7y ago | Improper Input Validation in Apache Archiva | |||
| CVE-2019-0194 | unknown | — | — | 7y ago | Path Traversal in Apache Camel | |||
| CVE-2019-3868 | unknown | — | — | 7y ago | Exposure of Sensitive Information to an Unauthorized Actor in Keycloak |