CVEs from 2019
Total
3,165
critical
critical 231
high
high 484
medium
medium 483
low
low 94
% Critical
7.3%
% with KEV
3.7%
% with exploit
8.0%
Top vendors
- intel 246
- schneider-electric 117
- netapp 61
- siemens 58
- oracle 36
- hp 23
- denx 20
- phoenixcontact 9
Top products
- u-boot 20
- crimson 8
- active_iq_unified_manager 7
- weblogic_server 5
- jdk 5
- oncommand_workflow_automation 5
- codeready_linux_builder_eus 4
- oncommand_insight 4
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-6956 | high | — | 8.0 | — | An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. It is a buffer over-read in ps_mix_phase in libfaad/ps_dec.c. | |||
| CVE-2019-13693 | high | — | 8.0 | — | Use after free in IndexedDB in Google Chrome prior to 77.0.3865.120 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. | |||
| CVE-2019-0053 | high | — | 8.0 | — | Insufficient validation of environment variables in the telnet client supplied in Junos OS can lead to stack-based buffer overflows, which can be exploited to bypass veriexec restrictions on Junos OS… | |||
| CVE-2019-13715 | high | — | 8.0 | — | Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. | |||
| CVE-2019-5847 | high | — | 8.0 | — | Inappropriate implementation in JavaScript in Google Chrome prior to 75.0.3770.142 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-1351 | high | — | 8.0 | — | A tampering vulnerability exists when Git for Visual Studio improperly handles virtual drive paths, aka 'Git for Visual Studio Tampering Vulnerability'. | |||
| CVE-2019-13705 | high | — | 8.0 | — | Insufficient policy enforcement in extensions in Google Chrome prior to 78.0.3904.70 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted … | |||
| CVE-2019-19604 | high | — | 8.0 | — | Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can… | |||
| CVE-2019-13695 | high | — | 8.0 | — | Use after free in audio in Google Chrome on Android prior to 77.0.3865.120 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-18182 | high | — | 8.0 | — | arbitrary command execution in pacman | |||
| CVE-2019-13711 | high | — | 8.0 | — | Insufficient policy enforcement in JavaScript in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||
| CVE-2019-14318 | high | — | 8.0 | — | Crypto++ 8.3.0 and earlier contains a timing side channel in ECDSA signature generation. This allows a local or remote attacker, able to measure the duration of hundreds to thousands of signing opera… | |||
| CVE-2019-13699 | high | — | 8.0 | — | Use after free in media in Google Chrome prior to 78.0.3904.70 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-11683 | high | — | 8.0 | — | udp_gro_receive_segment in net/ipv4/udp_offload.c in the Linux kernel 5.x before 5.0.13 allows remote attackers to cause a denial of service (slab-out-of-bounds memory corruption) or possibly have un… | |||
| CVE-2019-5864 | high | — | 8.0 | — | Insufficient data validation in CORS in Google Chrome prior to 76.0.3809.87 allowed an attacker who convinced a user to install a malicious extension to bypass content security policy via a crafted C… | |||
| CVE-2019-13701 | high | — | 8.0 | — | Incorrect implementation in navigation in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||
| CVE-2019-5794 | high | — | 8.0 | — | Incorrect handling of cancelled requests in Navigation in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to perform domain spoofing via a crafted HTML page. | |||
| CVE-2019-5802 | high | — | 8.0 | — | Incorrect handling of download origins in Navigation in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to perform domain spoofing via a crafted HTML page. | |||
| CVE-2019-5867 | high | — | 8.0 | — | Out of bounds read in JavaScript in Google Chrome prior to 76.0.3809.100 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-13719 | high | — | 8.0 | — | Incorrect security UI in full screen mode in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to hide security UI via a crafted HTML page. | |||
| CVE-2019-5868 | high | — | 8.0 | — | Use after free in PDFium in Google Chrome prior to 76.0.3809.100 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. | |||
| CVE-2019-13710 | high | — | 8.0 | — | Insufficient validation of untrusted input in downloads in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to bypass download restrictions via a crafted HTML page. | |||
| CVE-2019-5792 | high | — | 8.0 | — | Integer overflow in PDFium in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to potentially perform out of bounds memory access via a crafted PDF file. | |||
| CVE-2019-8337 | high | — | 8.0 | — | In msmtp 1.8.2 and mpop 1.4.3, when tls_trust_file has its default configuration, certificate-verification results are not properly checked. | |||
| CVE-2019-3871 | high | — | 8.0 | — | A vulnerability was found in PowerDNS Authoritative Server before 4.0.7 and before 4.1.7. An insufficient validation of data coming from the user when building a HTTP request from a DNS query in the … | |||
| CVE-2019-11741 | high | — | 8.0 | — | A compromised sandboxed content process can perform a Universal Cross-site Scripting (UXSS) attack on content from any site it can cause to be loaded in the same process. Because addons.mozilla.org a… | |||
| CVE-2019-13708 | high | — | 8.0 | — | Inappropriate implementation in navigation in Google Chrome on iOS prior to 78.0.3904.70 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||
| CVE-2019-13716 | high | — | 8.0 | — | Insufficient policy enforcement in service workers in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | |||
| CVE-2019-9686 | high | — | 8.0 | — | arbitrary code execution in pacman | |||
| CVE-2019-13717 | high | — | 8.0 | — | Incorrect security UI in full screen mode in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to hide security UI via a crafted HTML page. | |||
| CVE-2019-13718 | high | — | 8.0 | — | Insufficient data validation in Omnibox in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. | |||
| CVE-2019-6472 | high | — | 8.0 | — | A packet containing a malformed DUID can cause the Kea DHCPv6 server process (kea-dhcp6) to exit due to an assertion failure. Versions affected: 1.4.0 to 1.5.0, 1.6.0-beta1, and 1.6.0-beta2. | |||
| CVE-2019-13700 | high | — | 8.0 | — | Out of bounds memory access in the gamepad API in Google Chrome prior to 78.0.3904.70 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a c… | |||
| CVE-2019-8343 | high | — | 8.0 | — | In Netwide Assembler (NASM) 2.14.02, there is a use-after-free in paste_tokens in asm/preproc.c. | |||
| CVE-2019-19977 | high | — | 8.0 | — | libESMTP through 1.0.6 mishandles domain copying into a fixed-size buffer in ntlm_build_type_2 in ntlm/ntlmstruct.c, as demonstrated by a stack-based buffer over-read. | |||
| CVE-2019-1354 | high | — | 8.0 | — | A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-201… | |||
| CVE-2019-2201 | high | — | 8.0 | — | In generate_jsimd_ycc_rgb_convert_neon of jsimd_arm64_neon.S, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution in an unprivileged proces… | |||
| CVE-2019-0190 | high | — | 8.0 | — | A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This b… | |||
| CVE-2019-5795 | high | — | 8.0 | — | Integer overflow in PDFium in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to potentially perform out of bounds memory access via a crafted PDF file. | |||
| CVE-2019-5793 | high | — | 8.0 | — | Insufficient policy enforcement in extensions in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to initiate the extensions installation user interface via a crafted HTML page. | |||
| CVE-2019-5861 | high | — | 8.0 | — | Insufficient data validation in Blink in Google Chrome prior to 76.0.3809.87 allowed a remote attacker to bypass anti-clickjacking policy via a crafted HTML page. | |||
| CVE-2019-11734 | high | — | 8.0 | — | Mozilla developers and community members reported memory safety bugs present in Firefox 68. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of… | |||
| CVE-2019-11737 | high | — | 8.0 | — | If a wildcard ('*') is specified for the host in Content Security Policy (CSP) directives, any port or path restriction of the directive will be ignored, leading to CSP directives not being properly … | |||
| CVE-2019-6474 | high | — | 8.0 | — | A missing check on incoming client requests can be exploited to cause a situation where the Kea server's lease storage contains leases which are rejected as invalid when the server tries to load leas… | |||
| CVE-2019-6473 | high | — | 8.0 | — | An invalid hostname option can trigger an assertion failure in the Kea DHCPv4 server process (kea-dhcp4), causing the server process to exit. Versions affected: 1.4.0 to 1.5.0, 1.6.0-beta1, and 1.6.0… | |||
| CVE-2019-5854 | high | — | 8.0 | — | Integer overflow in PDFium in Google Chrome prior to 76.0.3809.87 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. | |||
| CVE-2019-5849 | high | — | 8.0 | — | Out of bounds read in Skia in Google Chrome prior to 75.0.3770.80 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. | |||
| CVE-2019-5850 | high | — | 8.0 | — | Use after free in offline mode in Google Chrome prior to 76.0.3809.87 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML pag… | |||
| CVE-2019-5852 | high | — | 8.0 | — | Inappropriate implementation in JavaScript in Google Chrome prior to 76.0.3809.87 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. | |||
| CVE-2019-5856 | high | — | 8.0 | — | Insufficient policy enforcement in storage in Google Chrome prior to 76.0.3809.87 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. | |||
| CVE-2019-13694 | high | — | 8.0 | — | Use after free in WebRTC in Google Chrome prior to 77.0.3865.120 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-13696 | high | — | 8.0 | — | Use after free in JavaScript in Google Chrome prior to 77.0.3865.120 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-13702 | high | — | 8.0 | — | Inappropriate implementation in installer in Google Chrome on Windows prior to 78.0.3904.70 allowed a local attacker to perform privilege escalation via a crafted executable. | |||
| CVE-2019-13704 | high | — | 8.0 | — | Insufficient policy enforcement in navigation in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to bypass content security policy via a crafted HTML page. | |||
| CVE-2019-13706 | high | — | 8.0 | — | Out of bounds memory access in PDFium in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. | |||
| CVE-2019-13713 | high | — | 8.0 | — | Insufficient policy enforcement in JavaScript in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||
| CVE-2019-13714 | high | — | 8.0 | — | Insufficient validation of untrusted input in Color Enhancer extension in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to inject CSS into an HTML page via a crafted URL. | |||
| CVE-2019-5791 | high | — | 8.0 | — | Inappropriate optimization in V8 in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. | |||
| CVE-2019-5799 | high | — | 8.0 | — | Incorrect inheritance of a new document's policy in Content Security Policy in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to bypass content security policy via a crafted HTML page. | |||
| CVE-2019-5787 | high | — | 8.0 | — | Use-after-garbage-collection in Blink in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2019-7524 | high | — | 8.0 | — | In Dovecot before 2.2.36.3 and 2.3.x before 2.3.5.1, a local attacker can cause a buffer overflow in the indexer-worker process, which can be used to elevate to root. This occurs because of missing c… | |||
| CVE-2019-8904 | high | — | 8.0 | — | do_bid_note in readelf.c in libmagic.a in file 5.35 has a stack-based buffer over-read, related to file_printf and file_vprintf. | |||
| CVE-2019-8905 | high | — | 8.0 | — | do_core_note in readelf.c in libmagic.a in file 5.35 has a stack-based buffer over-read, related to file_printable, a different vulnerability than CVE-2018-10360. | |||
| CVE-2019-8906 | high | — | 8.0 | — | do_core_note in readelf.c in libmagic.a in file 5.35 has an out-of-bounds read because memcpy is misused. | |||
| CVE-2019-8907 | high | — | 8.0 | — | do_core_note in readelf.c in libmagic.a in file 5.35 allows remote attackers to cause a denial of service (stack corruption and application crash) or possibly have unspecified other impact. | |||
| CVE-2019-9848 | high | — | 8.0 | — | LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLo… | |||
| CVE-2019-11461 | high | — | 8.0 | — | An issue was discovered in GNOME Nautilus 3.30 prior to 3.30.6 and 3.32 prior to 3.32.1. A compromised thumbnailer may escape the bubblewrap sandbox used to confine thumbnailers by using the TIOCSTI … | |||
| CVE-2019-16866 | high | — | 8.0 | — | Unbound before 1.9.4 accesses uninitialized memory, which allows remote attackers to trigger a crash via a crafted NOTIFY query. The source IP address of the query must match an access-control rule. | |||
| CVE-2019-5790 | high | — | 8.0 | — | An integer overflow leading to an incorrect capacity of a buffer in JavaScript in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafte… | |||
| CVE-2019-15717 | high | — | 8.0 | — | Irssi 1.2.x before 1.2.2 has a use-after-free if the IRC server sends a double CAP. | |||
| CVE-2019-19450 | high | — | 8.0 | 3y ago | RHSA-2023:5790: python-reportlab security update (Important) | |||
| CVE-2019-17626 | high | — | 8.0 | 4y ago | RHSA-2020:0201: python-reportlab security update (Important) | |||
| CVE-2019-10195 | high | — | 8.0 | 4y ago | RHBA-2019:4268: idm:DL1 bug fix update (Important) | |||
| CVE-2019-18466 | high | — | 8.0 | 4y ago | RHSA-2019:4269: container-tools:rhel8 security and bug fix update (Important) | |||
| CVE-2019-9512 | high | — | 8.0 | 4y ago | RHSA-2019:4273: container-tools:1.0 security update (Important) | |||
| CVE-2019-9514 | high | — | 8.0 | 4y ago | RHSA-2019:4273: container-tools:1.0 security update (Important) | |||
| CVE-2019-10352 | high | — | 8.0 | 4y ago | Improper Limitation of a Pathname to a Restricted Directory in Jenkins | |||
| CVE-2019-10353 | high | — | 8.0 | 4y ago | Cross-Site Request Forgery in Jenkins | |||
| CVE-2019-10354 | high | — | 8.0 | 4y ago | Missing Authorization in Jenkins | |||
| CVE-2019-0981 | high | — | 8.0 | 4y ago | RHSA-2019:1259: dotnet security, bug fix, and enhancement update (Important) | |||
| CVE-2019-0980 | high | — | 8.0 | 4y ago | RHSA-2019:1259: dotnet security, bug fix, and enhancement update (Important) | |||
| CVE-2019-2435 | high | — | 8.0 | 4y ago | Improper Access Control in MySQL Connector Python | |||
| CVE-2019-5885 | high | — | 8.0 | 4y ago | Matrix Synapse before 0.34.0.1, when the macaroon_secret_key authentication parameter is not set, uses a predictable value to derive a secret key and other secrets which could allow remote attackers … | |||
| CVE-2019-16884 | high | — | 8.0 | 4y ago | RHSA-2019:4269: container-tools:rhel8 security and bug fix update (Important) | |||
| CVE-2019-10214 | high | — | 8.0 | 4y ago | RHSA-2019:3494: container-tools:1.0 security and bug fix update (Important) | |||
| CVE-2019-14867 | high | — | 8.0 | 5y ago | RHBA-2019:4268: idm:DL1 bug fix update (Important) | |||
| CVE-2019-0820 | high | — | 8.0 | 5y ago | RHSA-2019:1259: dotnet security, bug fix, and enhancement update (Important) | |||
| CVE-2019-19523 | high | — | 8.0 | 5y ago | In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/adutux.c driver, aka CID-44efc269db79. | |||
| CVE-2019-19528 | high | — | 8.0 | 5y ago | In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/iowarrior.c driver, aka CID-edc4746f253d. | |||
| CVE-2019-18811 | high | — | 8.0 | 5y ago | A memory leak in the sof_set_get_large_ctrl_data() function in sound/soc/sof/ipc.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption) by triggering s… | |||
| CVE-2019-2974 | high | — | 8.0 | 6y ago | RHSA-2020:5500: mariadb:10.3 security, bug fix, and enhancement update (Important) | |||
| CVE-2019-2938 | high | — | 8.0 | 6y ago | RHSA-2020:5500: mariadb:10.3 security, bug fix, and enhancement update (Important) | |||
| CVE-2019-3018 | high | — | 8.0 | 6y ago | RHSA-2020:3732: mysql:8.0 security update (Important) | |||
| CVE-2019-2966 | high | — | 8.0 | 6y ago | RHSA-2020:3732: mysql:8.0 security update (Important) | |||
| CVE-2019-3011 | high | — | 8.0 | 6y ago | RHSA-2020:3732: mysql:8.0 security update (Important) | |||
| CVE-2019-3009 | high | — | 8.0 | 6y ago | RHSA-2020:3732: mysql:8.0 security update (Important) | |||
| CVE-2019-2997 | high | — | 8.0 | 6y ago | RHSA-2020:3732: mysql:8.0 security update (Important) | |||
| CVE-2019-2968 | high | — | 8.0 | 6y ago | RHSA-2020:3732: mysql:8.0 security update (Important) | |||
| CVE-2019-2960 | high | — | 8.0 | 6y ago | RHSA-2020:3732: mysql:8.0 security update (Important) | |||
| CVE-2019-2963 | high | — | 8.0 | 6y ago | RHSA-2020:3732: mysql:8.0 security update (Important) |