CVEs from 2019
Total
3,164
critical
critical 238
high
high 485
medium
medium 485
low
low 94
% Critical
7.5%
% with KEV
3.7%
% with exploit
8.0%
Top vendors
- intel 246
- schneider-electric 117
- netapp 61
- siemens 58
- oracle 36
- hp 23
- denx 20
- phoenixcontact 9
Top products
- u-boot 20
- crimson 8
- active_iq_unified_manager 7
- weblogic_server 5
- jdk 5
- oncommand_workflow_automation 5
- codeready_linux_builder_eus 4
- oncommand_insight 4
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-18182 | high | — | 8.0 | — | arbitrary command execution in pacman | |||
| CVE-2019-1351 | high | — | 8.0 | — | A tampering vulnerability exists when Git for Visual Studio improperly handles virtual drive paths, aka 'Git for Visual Studio Tampering Vulnerability'. | |||
| CVE-2019-8377 | high | — | 8.0 | — | An issue was discovered in Tcpreplay 4.3.1. A NULL pointer dereference occurred in the function get_ipv6_l4proto() located at get.c. This can be triggered by sending a crafted pcap file to the tcprep… | |||
| CVE-2019-0190 | high | — | 8.0 | — | A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This b… | |||
| CVE-2019-13694 | high | — | 8.0 | — | Use after free in WebRTC in Google Chrome prior to 77.0.3865.120 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-13696 | high | — | 8.0 | — | Use after free in JavaScript in Google Chrome prior to 77.0.3865.120 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-13702 | high | — | 8.0 | — | Inappropriate implementation in installer in Google Chrome on Windows prior to 78.0.3904.70 allowed a local attacker to perform privilege escalation via a crafted executable. | |||
| CVE-2019-13704 | high | — | 8.0 | — | Insufficient policy enforcement in navigation in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to bypass content security policy via a crafted HTML page. | |||
| CVE-2019-13706 | high | — | 8.0 | — | Out of bounds memory access in PDFium in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. | |||
| CVE-2019-13713 | high | — | 8.0 | — | Insufficient policy enforcement in JavaScript in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||
| CVE-2019-8337 | high | — | 8.0 | — | In msmtp 1.8.2 and mpop 1.4.3, when tls_trust_file has its default configuration, certificate-verification results are not properly checked. | |||
| CVE-2019-13714 | high | — | 8.0 | — | Insufficient validation of untrusted input in Color Enhancer extension in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to inject CSS into an HTML page via a crafted URL. | |||
| CVE-2019-2201 | high | — | 8.0 | — | In generate_jsimd_ycc_rgb_convert_neon of jsimd_arm64_neon.S, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution in an unprivileged proces… | |||
| CVE-2019-6956 | high | — | 8.0 | — | An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. It is a buffer over-read in ps_mix_phase in libfaad/ps_dec.c. | |||
| CVE-2019-13703 | high | — | 8.0 | — | Insufficient policy enforcement in the Omnibox in Google Chrome on Android prior to 78.0.3904.70 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||
| CVE-2019-13707 | high | — | 8.0 | — | Insufficient validation of untrusted input in intents in Google Chrome on Android prior to 78.0.3904.70 allowed a local attacker to leak files via a crafted application. | |||
| CVE-2019-5794 | high | — | 8.0 | — | Incorrect handling of cancelled requests in Navigation in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to perform domain spoofing via a crafted HTML page. | |||
| CVE-2019-5795 | high | — | 8.0 | — | Integer overflow in PDFium in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to potentially perform out of bounds memory access via a crafted PDF file. | |||
| CVE-2019-5793 | high | — | 8.0 | — | Insufficient policy enforcement in extensions in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to initiate the extensions installation user interface via a crafted HTML page. | |||
| CVE-2019-13715 | high | — | 8.0 | — | Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. | |||
| CVE-2019-13716 | high | — | 8.0 | — | Insufficient policy enforcement in service workers in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | |||
| CVE-2019-13717 | high | — | 8.0 | — | Incorrect security UI in full screen mode in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to hide security UI via a crafted HTML page. | |||
| CVE-2019-13719 | high | — | 8.0 | — | Incorrect security UI in full screen mode in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to hide security UI via a crafted HTML page. | |||
| CVE-2019-5842 | high | — | 8.0 | — | Use after free in Blink in Google Chrome prior to 75.0.3770.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-5857 | high | — | 8.0 | — | Inappropriate implementation in JavaScript in Google Chrome prior to 76.0.3809.87 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. | |||
| CVE-2019-5859 | high | — | 8.0 | — | Insufficient filtering in URI schemes in Google Chrome on Windows prior to 76.0.3809.87 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | |||
| CVE-2019-5848 | high | — | 8.0 | — | Incorrect font handling in autofill in Google Chrome prior to 75.0.3770.142 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. | |||
| CVE-2019-5851 | high | — | 8.0 | — | Use after free in WebAudio in Google Chrome prior to 76.0.3809.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-5862 | high | — | 8.0 | — | Insufficient data validation in AppCache in Google Chrome prior to 76.0.3809.87 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. | |||
| CVE-2019-13718 | high | — | 8.0 | — | Insufficient data validation in Omnibox in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. | |||
| CVE-2019-5865 | high | — | 8.0 | — | Insufficient policy enforcement in navigations in Google Chrome prior to 76.0.3809.87 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML pa… | |||
| CVE-2019-9686 | high | — | 8.0 | — | arbitrary code execution in pacman | |||
| CVE-2019-19882 | high | — | 8.0 | — | shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affe… | |||
| CVE-2019-3871 | high | — | 8.0 | — | A vulnerability was found in PowerDNS Authoritative Server before 4.0.7 and before 4.1.7. An insufficient validation of data coming from the user when building a HTTP request from a DNS query in the … | |||
| CVE-2019-5847 | high | — | 8.0 | — | Inappropriate implementation in JavaScript in Google Chrome prior to 75.0.3770.142 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-5790 | high | — | 8.0 | — | An integer overflow leading to an incorrect capacity of a buffer in JavaScript in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafte… | |||
| CVE-2019-0053 | high | — | 8.0 | — | Insufficient validation of environment variables in the telnet client supplied in Junos OS can lead to stack-based buffer overflows, which can be exploited to bypass veriexec restrictions on Junos OS… | |||
| CVE-2019-5849 | high | — | 8.0 | — | Out of bounds read in Skia in Google Chrome prior to 75.0.3770.80 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. | |||
| CVE-2019-5850 | high | — | 8.0 | — | Use after free in offline mode in Google Chrome prior to 76.0.3809.87 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML pag… | |||
| CVE-2019-5852 | high | — | 8.0 | — | Inappropriate implementation in JavaScript in Google Chrome prior to 76.0.3809.87 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. | |||
| CVE-2019-9848 | high | — | 8.0 | — | LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLo… | |||
| CVE-2019-5868 | high | — | 8.0 | — | Use after free in PDFium in Google Chrome prior to 76.0.3809.100 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. | |||
| CVE-2019-13709 | high | — | 8.0 | — | Insufficient policy enforcement in downloads in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to bypass download restrictions via a crafted HTML page. | |||
| CVE-2019-6473 | high | — | 8.0 | — | An invalid hostname option can trigger an assertion failure in the Kea DHCPv4 server process (kea-dhcp4), causing the server process to exit. Versions affected: 1.4.0 to 1.5.0, 1.6.0-beta1, and 1.6.0… | |||
| CVE-2019-11741 | high | — | 8.0 | — | A compromised sandboxed content process can perform a Universal Cross-site Scripting (UXSS) attack on content from any site it can cause to be loaded in the same process. Because addons.mozilla.org a… | |||
| CVE-2019-5860 | high | — | 8.0 | — | Use after free in PDFium in Google Chrome prior to 76.0.3809.87 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. | |||
| CVE-2019-5435 | high | — | 8.0 | — | An integer overflow in curl's URL API results in a buffer overflow in libcurl 7.62.0 to and including 7.64.1. | |||
| CVE-2019-8905 | high | — | 8.0 | — | do_core_note in readelf.c in libmagic.a in file 5.35 has a stack-based buffer over-read, related to file_printable, a different vulnerability than CVE-2018-10360. | |||
| CVE-2019-8343 | high | — | 8.0 | — | In Netwide Assembler (NASM) 2.14.02, there is a use-after-free in paste_tokens in asm/preproc.c. | |||
| CVE-2019-8906 | high | — | 8.0 | — | do_core_note in readelf.c in libmagic.a in file 5.35 has an out-of-bounds read because memcpy is misused. | |||
| CVE-2019-5858 | high | — | 8.0 | — | Incorrect security UI in MacOS services integration in Google Chrome on OS X prior to 76.0.3809.87 allowed a local attacker to execute arbitrary code via a crafted HTML page. | |||
| CVE-2019-5855 | high | — | 8.0 | — | Integer overflow in PDFium in Google Chrome prior to 76.0.3809.87 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. | |||
| CVE-2019-5853 | high | — | 8.0 | — | Inappropriate implementation in JavaScript in Google Chrome prior to 76.0.3809.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-16866 | high | — | 8.0 | — | Unbound before 1.9.4 accesses uninitialized memory, which allows remote attackers to trigger a crash via a crafted NOTIFY query. The source IP address of the query must match an access-control rule. | |||
| CVE-2019-5803 | high | — | 8.0 | — | Insufficient policy enforcement in Content Security Policy in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to bypass content security policy via a crafted HTML page. | |||
| CVE-2019-5864 | high | — | 8.0 | — | Insufficient data validation in CORS in Google Chrome prior to 76.0.3809.87 allowed an attacker who convinced a user to install a malicious extension to bypass content security policy via a crafted C… | |||
| CVE-2019-25016 | high | — | 8.0 | — | In OpenDoas from 6.6 to 6.8 the users PATH variable was incorrectly inherited by authenticated executions if the authenticating rule allowed the user to execute any command. Rules that only allowed t… | |||
| CVE-2019-13705 | high | — | 8.0 | — | Insufficient policy enforcement in extensions in Google Chrome prior to 78.0.3904.70 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted … | |||
| CVE-2019-13701 | high | — | 8.0 | — | Incorrect implementation in navigation in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||
| CVE-2019-13699 | high | — | 8.0 | — | Use after free in media in Google Chrome prior to 78.0.3904.70 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-13697 | high | — | 8.0 | — | Insufficient policy enforcement in performance APIs in Google Chrome prior to 77.0.3865.120 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||
| CVE-2019-5800 | high | — | 8.0 | — | Insufficient policy enforcement in Blink in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to bypass content security policy via a crafted HTML page. | |||
| CVE-2019-13708 | high | — | 8.0 | — | Inappropriate implementation in navigation in Google Chrome on iOS prior to 78.0.3904.70 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||
| CVE-2019-18222 | high | — | 8.0 | — | The ECDSA signature implementation in ecdsa.c in Arm Mbed Crypto 2.1 and Mbed TLS through 2.19.1 does not reduce the blinded scalar before computing the inverse, which allows a local attacker to reco… | |||
| CVE-2019-8907 | high | — | 8.0 | — | do_core_note in readelf.c in libmagic.a in file 5.35 allows remote attackers to cause a denial of service (stack corruption and application crash) or possibly have unspecified other impact. | |||
| CVE-2019-14318 | high | — | 8.0 | — | Crypto++ 8.3.0 and earlier contains a timing side channel in ECDSA signature generation. This allows a local or remote attacker, able to measure the duration of hundreds to thousands of signing opera… | |||
| CVE-2019-5854 | high | — | 8.0 | — | Integer overflow in PDFium in Google Chrome prior to 76.0.3809.87 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. | |||
| CVE-2019-5792 | high | — | 8.0 | — | Integer overflow in PDFium in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to potentially perform out of bounds memory access via a crafted PDF file. | |||
| CVE-2019-8904 | high | — | 8.0 | — | do_bid_note in readelf.c in libmagic.a in file 5.35 has a stack-based buffer over-read, related to file_printf and file_vprintf. | |||
| CVE-2019-1350 | high | — | 8.0 | — | A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-201… | |||
| CVE-2019-12881 | high | — | 8.0 | — | i915_gem_userptr_get_pages in drivers/gpu/drm/i915/i915_gem_userptr.c in the Linux kernel 4.15.0 on Ubuntu 18.04.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) o… | |||
| CVE-2019-13693 | high | — | 8.0 | — | Use after free in IndexedDB in Google Chrome prior to 77.0.3865.120 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. | |||
| CVE-2019-11683 | high | — | 8.0 | — | udp_gro_receive_segment in net/ipv4/udp_offload.c in the Linux kernel 5.x before 5.0.13 allows remote attackers to cause a denial of service (slab-out-of-bounds memory corruption) or possibly have un… | |||
| CVE-2019-19977 | high | — | 8.0 | — | libESMTP through 1.0.6 mishandles domain copying into a fixed-size buffer in ntlm_build_type_2 in ntlm/ntlmstruct.c, as demonstrated by a stack-based buffer over-read. | |||
| CVE-2019-13695 | high | — | 8.0 | — | Use after free in audio in Google Chrome on Android prior to 77.0.3865.120 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-13711 | high | — | 8.0 | — | Insufficient policy enforcement in JavaScript in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||
| CVE-2019-13710 | high | — | 8.0 | — | Insufficient validation of untrusted input in downloads in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to bypass download restrictions via a crafted HTML page. | |||
| CVE-2019-19450 | high | — | 8.0 | 3y ago | RHSA-2023:5790: python-reportlab security update (Important) | |||
| CVE-2019-17626 | high | — | 8.0 | 4y ago | RHSA-2020:0201: python-reportlab security update (Important) | |||
| CVE-2019-10195 | high | — | 8.0 | 4y ago | RHBA-2019:4268: idm:DL1 bug fix update (Important) | |||
| CVE-2019-18466 | high | — | 8.0 | 4y ago | RHSA-2019:4269: container-tools:rhel8 security and bug fix update (Important) | |||
| CVE-2019-9514 | high | — | 8.0 | 4y ago | RHSA-2019:4273: container-tools:1.0 security update (Important) | |||
| CVE-2019-9512 | high | — | 8.0 | 4y ago | RHSA-2019:4273: container-tools:1.0 security update (Important) | |||
| CVE-2019-10353 | high | — | 8.0 | 4y ago | Cross-Site Request Forgery in Jenkins | |||
| CVE-2019-10354 | high | — | 8.0 | 4y ago | Missing Authorization in Jenkins | |||
| CVE-2019-10352 | high | — | 8.0 | 4y ago | Improper Limitation of a Pathname to a Restricted Directory in Jenkins | |||
| CVE-2019-0981 | high | — | 8.0 | 4y ago | RHSA-2019:1259: dotnet security, bug fix, and enhancement update (Important) | |||
| CVE-2019-0980 | high | — | 8.0 | 4y ago | RHSA-2019:1259: dotnet security, bug fix, and enhancement update (Important) | |||
| CVE-2019-2435 | high | — | 8.0 | 4y ago | Improper Access Control in MySQL Connector Python | |||
| CVE-2019-5885 | high | — | 8.0 | 4y ago | Matrix Synapse before 0.34.0.1, when the macaroon_secret_key authentication parameter is not set, uses a predictable value to derive a secret key and other secrets which could allow remote attackers … | |||
| CVE-2019-16884 | high | — | 8.0 | 4y ago | RHSA-2019:4269: container-tools:rhel8 security and bug fix update (Important) | |||
| CVE-2019-10214 | high | — | 8.0 | 4y ago | RHSA-2019:3494: container-tools:1.0 security and bug fix update (Important) | |||
| CVE-2019-14867 | high | — | 8.0 | 5y ago | RHBA-2019:4268: idm:DL1 bug fix update (Important) | |||
| CVE-2019-0820 | high | — | 8.0 | 5y ago | RHSA-2019:1259: dotnet security, bug fix, and enhancement update (Important) | |||
| CVE-2019-19523 | high | — | 8.0 | 5y ago | In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/adutux.c driver, aka CID-44efc269db79. | |||
| CVE-2019-19528 | high | — | 8.0 | 5y ago | In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/iowarrior.c driver, aka CID-edc4746f253d. | |||
| CVE-2019-18811 | high | — | 8.0 | 5y ago | A memory leak in the sof_set_get_large_ctrl_data() function in sound/soc/sof/ipc.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption) by triggering s… | |||
| CVE-2019-2938 | high | — | 8.0 | 6y ago | RHSA-2020:5500: mariadb:10.3 security, bug fix, and enhancement update (Important) | |||
| CVE-2019-2974 | high | — | 8.0 | 6y ago | RHSA-2020:5500: mariadb:10.3 security, bug fix, and enhancement update (Important) | |||
| CVE-2019-2966 | high | — | 8.0 | 6y ago | RHSA-2020:3732: mysql:8.0 security update (Important) |