CVEs from 2019
Total
3,175
critical
critical 231
high
high 484
medium
medium 483
low
low 94
% Critical
7.3%
% with KEV
3.7%
% with exploit
7.9%
Top vendors
- intel 246
- schneider-electric 117
- netapp 61
- siemens 58
- oracle 36
- hp 23
- denx 20
- phoenixcontact 9
Top products
- u-boot 20
- crimson 8
- active_iq_unified_manager 7
- weblogic_server 5
- jdk 5
- oncommand_workflow_automation 5
- codeready_linux_builder_eus 4
- oncommand_insight 4
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-1003072 | unknown | — | — | 4y ago | Jenkins wildFly Deployer Plugin stores credentials in plain text | |||
| CVE-2019-1003071 | unknown | — | — | 4y ago | Jenkins Octopus Deploy Plugin stores credentials in plain text | |||
| CVE-2019-1003095 | unknown | — | — | 4y ago | Jenkins Perfecto Mobile Plugin stores credentials in plain text | |||
| CVE-2019-1003094 | unknown | — | — | 4y ago | Jenkins Open STF Plugin stores credentials in plain text | |||
| CVE-2019-1003077 | unknown | — | — | 4y ago | Missing permission check in Jenkins Audit to Database Plugin | |||
| CVE-2019-1003074 | unknown | — | — | 4y ago | Jenkins hyper.sh Commons Plugin stores credentials in plain text | |||
| CVE-2019-1003075 | unknown | — | — | 4y ago | Jenkins Audit to Database Plugin stores credentials in plain text | |||
| CVE-2019-1003088 | unknown | — | — | 4y ago | Jenkins Fabric-beta-publisher Plugin stores credentials in plain text | |||
| CVE-2019-1003089 | unknown | — | — | 4y ago | Jenkins Upload to pgyer Plugin stores credentials in plain text | |||
| CVE-2019-1003024 | unknown | — | — | 4y ago | Jenkins Script Security Plugin sandbox bypass vulnerability | |||
| CVE-2019-1003025 | unknown | — | — | 4y ago | Jenkins Cloud Foundry Plugin vulnerable to exposure of sensitive information | |||
| CVE-2019-1003006 | unknown | — | — | 4y ago | Jenkins Groovy Plugin sandbox bypass vulnerability | |||
| CVE-2019-1003048 | unknown | — | — | 4y ago | Jenkins PRQA Plugin stored password in plain text | |||
| CVE-2019-1003039 | unknown | — | — | 4y ago | Jenkins AppDynamics Dashboard Plugin has insufficiently protected credentials | |||
| CVE-2019-1003040 | unknown | — | — | 4y ago | Sandbox bypass vulnerability in Jenkins Script Security Plugin | |||
| CVE-2019-1003041 | unknown | — | — | 4y ago | Sandbox bypass vulnerability in Jenkins Pipeline: Groovy Plugin | |||
| CVE-2019-1003036 | unknown | — | — | 4y ago | Missing permission check in Azure VM Agents Plugin allowed modifying VM configuration | |||
| CVE-2019-1003045 | unknown | — | — | 4y ago | ECS Publisher Plugin stored and displayed API token in plain text | |||
| CVE-2019-1003047 | unknown | — | — | 4y ago | SSRF vulnerability due to missing permission check in Fortify on Demand Uploader Plugin | |||
| CVE-2019-1003034 | unknown | — | — | 4y ago | Script security sandbox bypass in Jenkins Job DSL Plugin | |||
| CVE-2019-1003035 | unknown | — | — | 4y ago | Information disclosure in Azure VM Agents Plugin | |||
| CVE-2019-1003037 | unknown | — | — | 4y ago | Unprivileged users with Overall/Read access are able to enumerate credential IDs in Azure VM Agents Plugin | |||
| CVE-2019-1003031 | unknown | — | — | 4y ago | Script security sandbox bypass in Matrix Project Plugin | |||
| CVE-2019-1003038 | unknown | — | — | 4y ago | Jenkins Repository Connector Plugin has insufficiently protected credentials | |||
| CVE-2019-10287 | unknown | — | — | 4y ago | Jenkins youtrack-plugin Plugin stored credentials in plain text | |||
| CVE-2019-1003032 | unknown | — | — | 4y ago | Script security sandbox bypass in Jenkins Email Extension Plugin | |||
| CVE-2019-1003033 | unknown | — | — | 4y ago | Jenkins Groovy Plugin sandbox bypass vulnerability | |||
| CVE-2019-10288 | unknown | — | — | 4y ago | Jenkins Jabber Server Plugin stores credentials in plain text | |||
| CVE-2019-10293 | unknown | — | — | 4y ago | Missing permission check in Jenkins Kmap Plugin allow SSRF | |||
| CVE-2019-10284 | unknown | — | — | 4y ago | Jenkins Diawi Upload Plugin stores credentials in plain text | |||
| CVE-2019-10283 | unknown | — | — | 4y ago | Jenkins mabl Plugin stores credentials in plain text | |||
| CVE-2019-10286 | unknown | — | — | 4y ago | Jenkins DeployHub Plugin stores credentials in plain text | |||
| CVE-2019-10279 | unknown | — | — | 4y ago | Missing permission check in Jenkins jenkins-reviewbot Plugin | |||
| CVE-2019-10285 | unknown | — | — | 4y ago | Jenkins Minio Storage Plugin stores credentials in plain text | |||
| CVE-2019-10299 | unknown | — | — | 4y ago | Jenkins CloudCoreo DeployTime Plugin stores credentials in plain text | |||
| CVE-2019-10297 | unknown | — | — | 4y ago | Jenkins Sametime Plugin stores credentials in plain text | |||
| CVE-2019-10291 | unknown | — | — | 4y ago | Jenkins Netsparker Enterprise Scan Plugin stored credentials in plain text | |||
| CVE-2019-10298 | unknown | — | — | 4y ago | Jenkins Koji Plugin stores credentials in plain text | |||
| CVE-2019-10282 | unknown | — | — | 4y ago | Jenkins Klaros-Testmanagement Plugin stores credentials in plain text | |||
| CVE-2019-10295 | unknown | — | — | 4y ago | Jenkins crittercism-dsym Plugin stores API key in plain text | |||
| CVE-2019-10294 | unknown | — | — | 4y ago | Jenkins Kmap Plugin stores credentials in plain text | |||
| CVE-2019-10281 | unknown | — | — | 4y ago | Jenkins Relution Enterprise Appstore Publisher Plugin stores credentials in plain text | |||
| CVE-2019-10296 | unknown | — | — | 4y ago | Jenkins Serena SRA Deploy Plugin stores credentials in plain text | |||
| CVE-2019-10277 | unknown | — | — | 4y ago | Jenkins StarTeam Plugin stores credentials in plain text | |||
| CVE-2019-10290 | unknown | — | — | 4y ago | Missing permission check in Jenkins Netsparker Cloud Scan Plugin | |||
| CVE-2019-10280 | unknown | — | — | 4y ago | Jenkins Assembla Auth Plugin stores credentials in plain text | |||
| CVE-2019-7611 | unknown | — | — | 4y ago | Improper Access Control in Elasticsearch | |||
| CVE-2019-3830 | unknown | — | — | 4y ago | A vulnerability was found in ceilometer before version 12.0.0.0rc1. An Information Exposure in ceilometer-agent prints sensitive configuration data to log files without DEBUG logging being activated. | |||
| CVE-2019-5919 | unknown | — | — | 4y ago | Nablarch Incomplete Cryptography | |||
| CVE-2019-10876 | unknown | — | — | 4y ago | An issue was discovered in OpenStack Neutron 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By creating two security groups with separate/overlapping port ranges, an authenticated us… | |||
| CVE-2019-9735 | unknown | — | — | 4y ago | An issue was discovered in the iptables firewall module in OpenStack Neutron before 10.0.8, 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By setting a destination port in a security… | |||
| CVE-2019-1003003 | unknown | — | — | 4y ago | Improper Authorization in Jenkins Core | |||
| CVE-2019-1003004 | unknown | — | — | 4y ago | Improper Authorization in Jenkins Core | |||
| CVE-2019-0204 | unknown | — | — | 4y ago | Docker image code execution with Apache Mesos | |||
| CVE-2019-18887 | unknown | — | — | 4y ago | An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/h… | |||
| CVE-2019-3902 | unknown | — | — | 4y ago | A flaw was found in Mercurial before 4.9. It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking logic and write files outside a repository. | |||
| CVE-2019-14900 | unknown | — | — | 4y ago | SQL Injection in Hibernate ORM | |||
| CVE-2019-12416 | unknown | — | — | 4y ago | Injection in DeltaSpike | |||
| CVE-2019-10091 | unknown | — | — | 4y ago | Apache Geode SSL endpoint verification vulnerability | |||
| CVE-2019-11343 | unknown | — | — | 4y ago | Vulnerability in Torpedo Query | |||
| CVE-2019-17640 | unknown | — | — | 4y ago | Path Traversal in Eclipse Vert | |||
| CVE-2019-10797 | unknown | — | — | 4y ago | HTTP Response Splitting in WSO2 transport-http | |||
| CVE-2019-17566 | unknown | — | — | 4y ago | Server-side request forgery (SSRF) in Apache Batik | |||
| CVE-2019-17557 | unknown | — | — | 5y ago | Cross-site scripting in Apache Syncome EndUser | |||
| CVE-2019-10170 | unknown | — | — | 5y ago | Privilege Defined With Unsafe Actions in Keycloak | |||
| CVE-2019-10095 | unknown | — | — | 5y ago | Bash command injection in Apache Zeppelin | |||
| CVE-2019-25050 | unknown | — | — | 5y ago | netCDF in GDAL 2.4.2 through 3.0.4 has a stack-based buffer overflow in nc4_get_att (called from nc4_get_att_tc and nc_get_att_text) and in uffd_cleanup (called from netCDFDataset::~netCDFDataset and… | |||
| CVE-2019-13126 | unknown | — | — | 5y ago | An integer overflow in NATS Server before 2.0.2 allows a remote attacker to crash the server by sending a crafted request. If authentication is enabled, then the remote attacker must have first authe… | |||
| CVE-2019-25027 | unknown | — | — | 5y ago | Reflected cross-site scripting in default RouteNotFoundError view in Vaadin 10 and 11-13 | |||
| CVE-2019-25028 | unknown | — | — | 5y ago | Stored cross-site scripting in Grid component in Vaadin 7 and 8 | |||
| CVE-2019-17638 | unknown | — | — | 6y ago | Operation on a Resource after Expiration or Release in Jetty Server | |||
| CVE-2019-13990 | unknown | — | — | 6y ago | XML external entity injection in Terracotta Quartz Scheduler | |||
| CVE-2019-17572 | unknown | — | — | 6y ago | Directory traversal in Apache RocketMQ | |||
| CVE-2019-2692 | unknown | — | — | 6y ago | Privilege escalation in mysql-connector-jav | |||
| CVE-2019-17267 | unknown | — | — | 6y ago | Improper Input Validation in jackson-databind | |||
| CVE-2019-17570 | unknown | — | — | 6y ago | Insecure Deserialization in Apache XML-RPC | |||
| CVE-2019-17573 | unknown | — | — | 6y ago | Reflected Cross-Site Scripting in Apache CXF | |||
| CVE-2019-12423 | unknown | — | — | 6y ago | Private key leak in Apache CXF | |||
| CVE-2019-14893 | unknown | — | — | 6y ago | Polymorphic deserialization of malicious object in jackson-databind | |||
| CVE-2019-14892 | unknown | — | — | 6y ago | Polymorphic deserialization of malicious object in jackson-databind | |||
| CVE-2019-12399 | unknown | — | — | 6y ago | Exposure of Sensitive Information to an Unauthorized Actor in Apache Kafka | |||
| CVE-2019-14820 | unknown | — | — | 6y ago | Exposure of Sensitive Information to an Unauthorized Actor in Keycloak | |||
| CVE-2019-19135 | unknown | — | — | 6y ago | Insufficient Nonce Validation in Eclipse Milo Client | |||
| CVE-2019-17569 | unknown | — | — | 6y ago | The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were … | |||
| CVE-2019-20444 | unknown | — | — | 6y ago | HTTP Request Smuggling in Netty | |||
| CVE-2019-20445 | unknown | — | — | 6y ago | HTTP Request Smuggling in Netty | |||
| CVE-2019-19703 | unknown | — | — | 6y ago | URL Redirection to Untrusted Site (Open Redirect) in Ktor | |||
| CVE-2019-10911 | unknown | — | — | 6y ago | In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would allow an attacker to authenticate as a privileged user on sites with… | |||
| CVE-2019-10912 | unknown | — | — | 6y ago | In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this coul… | |||
| CVE-2019-11325 | unknown | — | — | 6y ago | An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrar… | |||
| CVE-2019-10172 | unknown | — | — | 6y ago | Improper Restriction of XML External Entity Reference in jackson-mapper-asl | |||
| CVE-2019-17556 | unknown | — | — | 6y ago | Deserialization of Untrusted Data in Apache Olingo | |||
| CVE-2019-17555 | unknown | — | — | 6y ago | Improper input validation in Apache Olingo | |||
| CVE-2019-12422 | unknown | — | — | 6y ago | Improper input validation in Apache Shiro | |||
| CVE-2019-10782 | unknown | — | — | 6y ago | XML external entity (XXE) processing ('external-parameter-entities' feature was not fully disabled)) | |||
| CVE-2019-10770 | unknown | — | — | 6y ago | Default development error handler in Ratpack is vulnerable to HTML content injection (XSS) | |||
| CVE-2019-10158 | unknown | — | — | 7y ago | Improper implementation of the session fixation protection in Infinispan | |||
| CVE-2019-10070 | unknown | — | — | 7y ago | Stored XSS in Apache Atlas | |||
| CVE-2019-10219 | unknown | — | — | 7y ago | The SafeHtml annotation in Hibernate-Validator does not properly guard against XSS attacks | |||
| CVE-2019-12418 | unknown | — | — | 7y ago | When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration f… |