CVEs from 2020
Total
3,789
critical
critical 206
high
high 563
medium
medium 744
low
low 60
% Critical
5.4%
% with KEV
3.9%
% with exploit
5.4%
Top vendors
- oracle 476
- schneider-electric 139
- siemens 103
- netapp 28
- arista 15
- rockwellautomation 9
- fasterxml 8
- kubernetes 8
Top products
- retail_xstore_point_of_service 33
- banking_digital_experience 30
- primavera_unifier 29
- retail_service_backbone 15
- financial_services_institutional_performance_analytics 13
- insurance_policy_administration_j2ee 11
- communications_network_charging_and_control 10
- enterprise_manager_base_platform 10
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-26882 | unknown | — | — | 4y ago | Data Amplification in Play Framework | |||
| CVE-2020-27196 | unknown | — | — | 4y ago | Out-of-bounds Write in Play Framework | |||
| CVE-2020-26883 | unknown | — | — | 4y ago | Uncontrolled Recursion in Play Framework | |||
| CVE-2020-27217 | unknown | — | — | 4y ago | Improper Validation of Specified Quantity in Input in Eclipse Hono | |||
| CVE-2020-13957 | unknown | — | — | 4y ago | Incorrect Authorization in Apache Solr | |||
| CVE-2020-13942 | unknown | — | — | 4y ago | Injection and Improper Input Validation in Apache Unomi | |||
| CVE-2020-11975 | unknown | — | — | 4y ago | Improper Input Validation in Apache Unomi | |||
| CVE-2020-7778 | unknown | — | — | 4y ago | This affects the package systeminformation before 4.30.2. The attacker can overwrite the properties and functions of an object, which can lead to executing OS commands. | |||
| CVE-2020-25802 | unknown | — | — | 4y ago | Improper Control of Dynamically-Managed Code Resources in Crafter CMS Crafter Studio | |||
| CVE-2020-25803 | unknown | — | — | 4y ago | Improper Control of Dynamically-Managed Code Resources in Crafter CMS Crafter Studio | |||
| CVE-2020-7780 | unknown | — | — | 4y ago | Cross-Site Request Forgery | |||
| CVE-2020-13943 | unknown | — | — | 4y ago | If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation o… | |||
| CVE-2020-8022 | unknown | — | — | 4y ago | Incorrect Default Permissions in Apache Tomcat | |||
| CVE-2020-25638 | unknown | — | — | 4y ago | SQL injection in hibernate-core | |||
| CVE-2020-25711 | unknown | — | — | 4y ago | Improper Access Control in infinispan-server-runtime | |||
| CVE-2020-28923 | unknown | — | — | 4y ago | Data Amplification in Play Framework | |||
| CVE-2020-17531 | unknown | — | — | 4y ago | Serialization vulnerability in Apache Tapestry | |||
| CVE-2020-11974 | unknown | — | — | 4y ago | Remote code execution in DolphinScheduler | |||
| CVE-2020-13931 | unknown | — | — | 4y ago | Remote code execution in Apache TomEE | |||
| CVE-2020-17533 | unknown | — | — | 4y ago | Improper privilege handling in Apache Accumulo | |||
| CVE-2020-35774 | unknown | — | — | 4y ago | TwitterServer Cross-site Scripting via /histograms endpoint | |||
| CVE-2020-13654 | unknown | — | — | 4y ago | Improper escaping in XWiki Platform | |||
| CVE-2020-17518 | unknown | — | — | 4y ago | Upload of file to arbitrary path in Apache Flink | |||
| CVE-2020-11995 | unknown | — | — | 4y ago | Deserialization exploitation in Apache Dubbo | |||
| CVE-2020-17534 | unknown | — | — | 4y ago | Improper synchronization in Apache Netbeans HTML/Java API | |||
| CVE-2020-27219 | unknown | — | — | 4y ago | Cross-site Scripting in Eclipse Hawkbit | |||
| CVE-2020-17532 | unknown | — | — | 4y ago | Arbitrary code execution in Apache ServiceComb java-chassis | |||
| CVE-2020-23262 | unknown | — | — | 4y ago | SQL injection without credentials in ming-soft MCMS | |||
| CVE-2020-9492 | unknown | — | — | 4y ago | Improper Privilege Management in Apache Hadoop | |||
| CVE-2020-5428 | unknown | — | — | 4y ago | SQL Injection in Spring Cloud Task | |||
| CVE-2020-13920 | unknown | — | — | 4y ago | Improper Authentication in Apache ActiveMQ | |||
| CVE-2020-11998 | unknown | — | — | 4y ago | Remote code execution in Apache ActiveMQ | |||
| CVE-2020-13932 | unknown | — | — | 4y ago | Cross-site Scripting (XSS) in Apache ActiveMQ Artemis | |||
| CVE-2020-1958 | unknown | — | — | 4y ago | Credentials bypass in Apache Druid | |||
| CVE-2020-17523 | unknown | — | — | 4y ago | Authentication bypass in Apache Shiro | |||
| CVE-2020-13947 | unknown | — | — | 4y ago | Cross-site scripting (XSS) in Apache ActiveMQ | |||
| CVE-2020-17516 | unknown | — | — | 4y ago | Authentication Bypass in Apache Cassandra | |||
| CVE-2020-1718 | unknown | — | — | 4y ago | Improper Authentication for Keycloak | |||
| CVE-2020-10776 | unknown | — | — | 4y ago | Cross-site Scripting in keycloak | |||
| CVE-2020-1694 | unknown | — | — | 4y ago | Incorrect Permission Assignment for Critical Resource and Permissive List of Allowed Inputs in Keycloak | |||
| CVE-2020-10758 | unknown | — | — | 4y ago | Allocation of Resources Without Limits or Throttling in Keycloak | |||
| CVE-2020-10748 | unknown | — | — | 4y ago | Cross-site Scripting in Keycloak | |||
| CVE-2020-1758 | unknown | — | — | 4y ago | Improper Certificate Validation and Improper Validation of Certificate with Host Mismatch in Keycloak | |||
| CVE-2020-27782 | unknown | — | — | 4y ago | Denial of service in Undertow | |||
| CVE-2020-1926 | unknown | — | — | 4y ago | Apache Hive Information Exposure and Observable Timing Discrepancy | |||
| CVE-2020-12668 | unknown | — | — | 4y ago | Unauthorized access to Class instance in Jinjava | |||
| CVE-2020-9482 | unknown | — | — | 4y ago | Insufficient Session Expiration in Apache NiFi Registry | |||
| CVE-2020-9491 | unknown | — | — | 5y ago | Inadequate Encryption Strength in Apache NiFi | |||
| CVE-2020-9487 | unknown | — | — | 5y ago | Missing Authentication for Critical Function in Apache NiFi | |||
| CVE-2020-9486 | unknown | — | — | 5y ago | Insertion of Sensitive Information into Log File in Apache NiFi Stateless | |||
| CVE-2020-13940 | unknown | — | — | 5y ago | Improper Restriction of XML External Entity Reference in Apache NiFi | |||
| CVE-2020-1942 | unknown | — | — | 5y ago | Insertion of Sensitive Information into Log File in Apache NiFi | |||
| CVE-2020-1928 | unknown | — | — | 5y ago | Apache NiFi Insertion of Sensitive Information into Log File | |||
| CVE-2020-1933 | unknown | — | — | 5y ago | Cross-site scripting in Apache NiFi | |||
| CVE-2020-1936 | unknown | — | — | 5y ago | Cross-site Scripting (XSS) in Apache Ambari Views | |||
| CVE-2020-13936 | unknown | — | — | 5y ago | Sandbox Bypass in Apache Velocity Engine | |||
| CVE-2020-28452 | unknown | — | — | 5y ago | Cross-Site Request Forgery in com.softwaremill.akka-http-session:core_2.12 | |||
| CVE-2020-1952 | unknown | — | — | 5y ago | Improper Certificate Validation in Apache IoTDB | |||
| CVE-2020-1964 | unknown | — | — | 5y ago | Deserialization of Untrusted Data in Apache Heron | |||
| CVE-2020-35215 | unknown | — | — | 5y ago | Malicious Atomix node queries expose sensitive information | |||
| CVE-2020-35209 | unknown | — | — | 5y ago | An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to join a target cluster via providing configuration information. | |||
| CVE-2020-35214 | unknown | — | — | 5y ago | An issue in Atomix v3.1.5 allows a malicious Atomix node to remove states of ONOS storage via abuse of primitive operations. | |||
| CVE-2020-35210 | unknown | — | — | 5y ago | A vulnerability in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via a Raft session flooding attack using Raft OpenSessionRequest messages. | |||
| CVE-2020-35216 | unknown | — | — | 5y ago | An issue in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via false member down event messages. | |||
| CVE-2020-35213 | unknown | — | — | 5y ago | An issue in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via false link event messages sent to a master ONOS node. | |||
| CVE-2020-35211 | unknown | — | — | 5y ago | An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to become the lead node. | |||
| CVE-2020-1940 | unknown | — | — | 5y ago | Improper Removal of Sensitive Information Before Storage or Transfer in Apache Jackrabbit Oak | |||
| CVE-2020-36282 | unknown | — | — | 5y ago | Unsafe Deserialization that can Result in Code Execution | |||
| CVE-2020-28491 | unknown | — | — | 5y ago | Denial of Service (DoS) in Jackson Dataformat CBOR | |||
| CVE-2020-36189 | unknown | — | — | 5y ago | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSo… | |||
| CVE-2020-36187 | unknown | — | — | 5y ago | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource. | |||
| CVE-2020-36188 | unknown | — | — | 5y ago | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource. | |||
| CVE-2020-36184 | unknown | — | — | 5y ago | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource. | |||
| CVE-2020-36180 | unknown | — | — | 5y ago | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS. | |||
| CVE-2020-36181 | unknown | — | — | 5y ago | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS. | |||
| CVE-2020-36185 | unknown | — | — | 5y ago | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource. | |||
| CVE-2020-36179 | unknown | — | — | 5y ago | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS. | |||
| CVE-2020-36182 | unknown | — | — | 5y ago | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS. | |||
| CVE-2020-24750 | unknown | — | — | 5y ago | FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration. | |||
| CVE-2020-35491 | unknown | — | — | 5y ago | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource. | |||
| CVE-2020-35490 | unknown | — | — | 5y ago | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource. | |||
| CVE-2020-24616 | unknown | — | — | 5y ago | FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP). | |||
| CVE-2020-36186 | unknown | — | — | 5y ago | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource. | |||
| CVE-2020-14389 | unknown | — | — | 5y ago | Improper privilege management in Keycloak | |||
| CVE-2020-29204 | unknown | — | — | 5y ago | Cross-site Scripting in XXL-JOB | |||
| CVE-2020-8897 | unknown | — | — | 5y ago | Security issues in AWS KMS and AWS Encryption SDKs: in-band protocol negotiation and robustness | |||
| CVE-2020-7692 | unknown | — | — | 5y ago | Improper Authorization in Google OAuth Client | |||
| CVE-2020-21122 | unknown | — | — | 5y ago | Server-Side Request Forgery in UReport | |||
| CVE-2020-21125 | unknown | — | — | 5y ago | Remote code execution in UReport | |||
| CVE-2020-1744 | unknown | — | — | 5y ago | Exposure of Sensitive Information in keycloak | |||
| CVE-2020-13929 | unknown | — | — | 5y ago | Authentication bypass in Apache Zeppelin | |||
| CVE-2020-6950 | unknown | — | — | 5y ago | Directory traversal in Eclipse Mojarra | |||
| CVE-2020-15522 | unknown | — | — | 5y ago | Timing based private key exposure in Bouncy Castle | |||
| CVE-2020-27178 | unknown | — | — | 5y ago | Improper Authentication in Apereo CAS | |||
| CVE-2020-19676 | unknown | — | — | 5y ago | Incorrect Access Control in Nacos | |||
| CVE-2020-12642 | unknown | — | — | 5y ago | XXE vulnerability in Launch import | |||
| CVE-2020-11977 | unknown | — | — | 5y ago | Shell command injection in Apache Syncope | |||
| CVE-2020-1959 | unknown | — | — | 5y ago | Expression Language Injection in Apache Syncope | |||
| CVE-2020-1961 | unknown | — | — | 5y ago | Injection in Apache Syncope | |||
| CVE-2020-10688 | unknown | — | — | 5y ago | Cross-site scripting in RESTEasy |