CVEs from 2021
Total
4,791
critical
critical 281
high
high 1,022
medium
medium 1,179
low
low 138
% Critical
5.9%
% with KEV
4.4%
% with exploit
5.3%
Top vendors
Top products
- simatic_wincc_runtime_advanced 28
- office 13
- primavera_gateway 10
- weblogic_server 9
- primavera_unifier 8
- modicon_m340_bmxp342020 8
- log4j 8
- mbed_tls 8
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-4069 | low | — | 2.5 | — | vim is vulnerable to Use After Free | |||
| CVE-2021-31855 | low | — | 2.5 | — | KDE Messagelib through 5.17.0 reveals cleartext of encrypted messages in some situations. Deleting an attachment of a decrypted encrypted message stored on a remote server (e.g., an IMAP server) caus… | |||
| CVE-2021-3475 | low | — | 2.5 | — | There is a flaw in OpenEXR in versions before 3.0.0-beta. An attacker who can submit a crafted file to be processed by OpenEXR could cause an integer overflow, potentially leading to problems with ap… | |||
| CVE-2021-32613 | low | — | 2.5 | — | In radare2 through 5.3.0 there is a double free vulnerability in the pyc parse via a crafted file which can lead to DoS. | |||
| CVE-2021-3671 | low | — | 2.5 | — | A null pointer de-reference was found in the way samba kerberos server handled missing sname in TGS-REQ (Ticket Granting Server - Request). An authenticated user could use this flaw to crash the samb… | |||
| CVE-2021-39924 | low | — | 2.5 | — | Large loop in the Bluetooth DHT dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file | |||
| CVE-2021-39925 | low | — | 2.5 | — | Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file | |||
| CVE-2021-39928 | low | — | 2.5 | — | NULL pointer exception in the IEEE 802.11 dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file | |||
| CVE-2021-43877 | low | — | 2.5 | — | privilege escalation in dotnet-runtime | |||
| CVE-2021-3968 | low | — | 2.5 | — | vim is vulnerable to Heap-based Buffer Overflow | |||
| CVE-2021-4021 | low | — | 2.5 | — | A vulnerability was found in Radare2 in versions prior to 5.6.2, 5.6.0, 5.5.4 and 5.5.2. Mapping a huge section filled with zeros of an ELF64 binary for MIPS architecture can lead to uncontrolled res… | |||
| CVE-2021-39247 | low | — | 2.5 | — | Zint Barcode Generator before 2.10.0 has a one-byte buffer over-read, related to is_last_single_ascii in code1.c, and rs_encode_uint in reedsol.c. | |||
| CVE-2021-28117 | low | — | 2.5 | — | libdiscover/backends/KNSBackend/KNSResource.cpp in KDE Discover before 5.21.3 automatically creates links to potentially dangerous URLs (that are neither https:// nor http://) based on the content of… | |||
| CVE-2021-26934 | low | — | 2.5 | — | An issue was discovered in the Linux kernel 4.18 through 5.10.16, as used by Xen. The backend allocation (aka be-alloc) mode of the drm_xen_front drivers was not meant to be a supported configuration… | |||
| CVE-2021-3903 | low | — | 2.5 | 2y ago | vim is vulnerable to Heap-based Buffer Overflow | |||
| CVE-2021-26086 | unknown | — | 2.5 | 2y ago | Atlassian Jira Server and Data Center contain a path traversal vulnerability that allows a remote attacker to read particular files in the /WEB-INF/web.xml endpoint. | |||
| CVE-2021-44529 | unknown | — | 2.5 | 2y ago | Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) contains a code injection vulnerability that allows an unauthenticated user to execute malicious code with limited permissions (nobody). | |||
| CVE-2021-3826 | low | — | 2.5 | 3y ago | Low: gdb security update | |||
| CVE-2021-43618 | low | — | 2.5 | 3y ago | Low: gmp security and enhancement update | |||
| CVE-2021-27876 | unknown | — | 2.5 | 3y ago | Veritas Backup Exec (BE) Agent contains a file access vulnerability that could allow an attacker to specially craft input parameters on a data management protocol command to access files on the BE Ag… | |||
| CVE-2021-27877 | unknown | — | 2.5 | 3y ago | Veritas Backup Exec (BE) Agent contains an improper authentication vulnerability that could allow an attacker unauthorized access to the BE Agent via SHA authentication scheme. | |||
| CVE-2021-27878 | unknown | — | 2.5 | 3y ago | Veritas Backup Exec (BE) Agent contains a command execution vulnerability that could allow an attacker to use a data management protocol command to execute a command on the BE Agent machine. | |||
| CVE-2021-35587 | unknown | — | 2.5 | 4y ago | Oracle Fusion Middleware Access Manager allows an unauthenticated attacker with network access via HTTP to takeover the Access Manager product. | |||
| CVE-2021-46195 | low | — | 2.5 | 4y ago | Low: mingw-gcc security and bug fix update | |||
| CVE-2021-3507 | low | — | 2.5 | 4y ago | A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers fr… | |||
| CVE-2021-44269 | low | — | 2.5 | 4y ago | RHSA-2022:7558: wavpack security update (Low) | |||
| CVE-2021-3493 | unknown | — | 2.5 | 4y ago | The overlayfs stacking file system in Linux kernel does not properly validate the application of file capabilities against user namespaces, which could lead to privilege escalation. | |||
| CVE-2021-3981 | low | — | 2.5 | 4y ago | RHSA-2022:2110: grub2 security, bug fix, and enhancement update (Low) | |||
| CVE-2021-3634 | low | — | 2.5 | 4y ago | RHSA-2022:2031: libssh security, bug fix, and enhancement update (Low) | |||
| CVE-2021-3802 | low | — | 2.5 | 4y ago | RHSA-2022:1820: udisks2 security and bug fix update (Low) | |||
| CVE-2021-41229 | low | — | 2.5 | 4y ago | RHSA-2022:2081: bluez security update (Low) | |||
| CVE-2021-23222 | low | — | 2.5 | 4y ago | RHSA-2022:1891: libpq security update (Low) | |||
| CVE-2021-31166 | unknown | — | 2.5 | 4y ago | Microsoft HTTP Protocol Stack contains a vulnerability in http.sys that allows for remote code execution. | |||
| CVE-2021-3461 | low | — | 2.5 | 4y ago | Keycloak insufficient session expiration | |||
| CVE-2021-21551 | unknown | — | 2.5 | 4y ago | Dell dbutil driver contains an insufficient access control vulnerability which may lead to escalation of privileges, denial-of-service (DoS), or information disclosure. | |||
| CVE-2021-26085 | unknown | — | 2.5 | 4y ago | Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a pre-authorization arbitrary file read vulnerability in the /s/ endpoint. | |||
| CVE-2021-42237 | unknown | — | 2.5 | 4y ago | Sitcore XP contains an insecure deserialization vulnerability which can allow for remote code execution. | |||
| CVE-2021-4091 | low | — | 2.5 | 4y ago | RHSA-2022:0889: 389-ds:1.4 security and bug fix update (Low) | |||
| CVE-2021-36934 | unknown | — | 2.5 | 4y ago | If a Volume Shadow Copy (VSS) shadow copy of the system drive is available, users can read the SAM file which would allow any user to escalate privileges to SYSTEM level. | |||
| CVE-2021-21975 | unknown | — | 2.5 | 4y ago | Server Side Request Forgery (SSRF) in vRealize Operations Manager API prior to 8.4 may allow a malicious actor with network access to the vRealize Operations Manager API to perform a SSRF attack to s… | |||
| CVE-2021-25298 | unknown | — | 2.5 | 4y ago | Nagios XI contains a vulnerability which can lead to OS command injection on the Nagios XI server. | |||
| CVE-2021-25296 | unknown | — | 2.5 | 4y ago | Nagios XI contains a vulnerability which can lead to OS command injection on the Nagios XI server. | |||
| CVE-2021-25297 | unknown | — | 2.5 | 4y ago | Nagios XI contains a vulnerability which can lead to OS command injection on the Nagios XI server. | |||
| CVE-2021-36260 | unknown | — | 2.5 | 5y ago | A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation. | |||
| CVE-2021-20257 | low | — | 2.5 | 5y ago | An infinite loop flaw was found in the e1000 NIC emulator of the QEMU. This issue occurs while processing transmits (tx) descriptors in process_tx_desc if various descriptor fields are initialized wi… | |||
| CVE-2021-3930 | low | — | 2.5 | 5y ago | An off-by-one error was found in the SCSI device emulation in QEMU. It could occur while processing MODE SELECT commands in mode_sense_page() if the 'page' argument was set to MODE_PAGE_ALLS (0x3f). … | |||
| CVE-2021-45046 | unknown | — | 2.5 | 5y ago | Apache Log4j2 contains a deserialization of untrusted data vulnerability due to the incomplete fix of CVE-2021-44228, where the Thread Context Lookup Pattern is vulnerable to remote code execution in… | |||
| CVE-2021-44077 | unknown | — | 2.5 | 5y ago | Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution | |||
| CVE-2021-43668 | low | — | 2.5 | 5y ago | Denial of Service in Go-Ethereum | |||
| CVE-2021-40449 | unknown | — | 2.5 | 5y ago | Unspecified vulnerability allows for an authenticated user to escalate privileges. | |||
| CVE-2021-42321 | unknown | — | 2.5 | 5y ago | An authenticated attacker could leverage improper validation in cmdlet arguments within Microsoft Exchange and perform remote code execution. | |||
| CVE-2021-3572 | low | — | 2.5 | 5y ago | A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest… | |||
| CVE-2021-20266 | low | — | 2.5 | 5y ago | RHSA-2021:4489: rpm security, bug fix, and enhancement update (Low) | |||
| CVE-2021-3200 | low | — | 2.5 | 5y ago | Buffer overflow vulnerability in libsolv 2020-12-13 via the Solver * testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **resultp, int *resultflagsp function at src/testcase.c… | |||
| CVE-2021-20269 | low | — | 2.5 | 5y ago | RHSA-2021:4404: kexec-tools security, bug fix, and enhancement update (Low) | |||
| CVE-2021-43566 | low | — | 2.5 | 5y ago | RHBA-2021:4438: samba bug fix and enhancement update (Low) | |||
| CVE-2021-27065 | unknown | — | 2.5 | 5y ago | Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain. | |||
| CVE-2021-26855 | unknown | — | 2.5 | 5y ago | Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain. | |||
| CVE-2021-26084 | unknown | — | 2.5 | 5y ago | Atlassian Confluence Server and Data Server contain an Object-Graph Navigation Language (OGNL) injection vulnerability that may allow an unauthenticated attacker to execute code. | |||
| CVE-2021-42258 | unknown | — | 2.5 | 5y ago | BQE BillQuick Web Suite contains an SQL injection vulnerability when accessing the username parameter that may allow for unauthenticated, remote code execution. | |||
| CVE-2021-1497 | unknown | — | 2.5 | 5y ago | Cisco HyperFlex HX Installer Virtual Machine contains an insufficient input validation vulnerability which could allow an attacker to execute commands on an affected device as the root user. | |||
| CVE-2021-40444 | unknown | — | 2.5 | 5y ago | Microsoft MSHTML contains a unspecified vulnerability that allows for remote code execution. | |||
| CVE-2021-36942 | unknown | — | 2.5 | 5y ago | Microsoft Windows Local Security Authority (LSA) contains a spoofing vulnerability allowing an unauthenticated attacker to call a method on the LSARPC interface and coerce the domain controller to au… | |||
| CVE-2021-31207 | unknown | — | 2.5 | 5y ago | Microsoft Exchange Server contains an unspecified vulnerability that allows for security feature bypass. | |||
| CVE-2021-22005 | unknown | — | 2.5 | 5y ago | VMware vCenter Server contains a file upload vulnerability in the Analytics service that allows a user with network access to port 443 to execute code. | |||
| CVE-2021-21972 | unknown | — | 2.5 | 5y ago | VMware vCenter Server vSphere Client contains a remote code execution vulnerability in a vCenter Server plugin which allows an attacker with network access to port 443 to execute commands with unrest… | |||
| CVE-2021-21985 | unknown | — | 2.5 | 5y ago | VMware vSphere Client contains an improper input validation vulnerability in the Virtual SAN Health Check plug-in, which is enabled by default in vCenter Server, which allows for remote code executio… | |||
| CVE-2021-38647 | unknown | — | 2.5 | 5y ago | Microsoft Open Management Infrastructure (OMI) within Azure VM Management Extensions contains an unspecified vulnerability allowing remote code execution. | |||
| CVE-2021-38648 | unknown | — | 2.5 | 5y ago | Microsoft Open Management Infrastructure (OMI) within Azure VM Management Extensions contains an unspecified vulnerability allowing privilege escalation. | |||
| CVE-2021-22502 | unknown | — | 2.5 | 5y ago | Micro Focus Operation Bridge Report (OBR) contains an unspecified vulnerability that allows for remote code execution. | |||
| CVE-2021-22986 | unknown | — | 2.5 | 5y ago | F5 BIG-IP and BIG-IQ Centralized Management contain a remote code execution vulnerability in the iControl REST interface that allows unauthenticated attackers with network access to execute system co… | |||
| CVE-2021-34527 | unknown | — | 2.5 | 5y ago | Microsoft Windows Print Spooler contains an unspecified vulnerability due to the Windows Print Spooler service improperly performing privileged file operations. Successful exploitation allows an atta… | |||
| CVE-2021-35464 | unknown | — | 2.5 | 5y ago | ForgeRock Access Management (AM) Core Server allows an attacker who sends a specially crafted HTTP request to one of three endpoints (/ccversion/Version, /ccversion/Masthead, or /ccversion/ButtonFram… | |||
| CVE-2021-40539 | unknown | — | 2.5 | 5y ago | Zoho ManageEngine ADSelfService Plus contains an authentication bypass vulnerability affecting the REST API URLs which allow for remote code execution. | |||
| CVE-2021-30657 | unknown | — | 2.5 | 5y ago | Apple macOS contains an unspecified logic issue in System Preferences that may allow a malicious application to bypass Gatekeeper checks. | |||
| CVE-2021-1498 | unknown | — | 2.5 | 5y ago | Cisco HyperFlex HX Installer Virtual Machine contains an insufficient input validation vulnerability which could allow an attacker to execute commands on an affected device as the tomcat8 user. | |||
| CVE-2021-1675 | unknown | — | 2.5 | 5y ago | Microsoft Windows Print Spooler contains an unspecified vulnerability that allows for remote code execution. | |||
| CVE-2021-1732 | unknown | — | 2.5 | 5y ago | Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation. | |||
| CVE-2021-34523 | unknown | — | 2.5 | 5y ago | Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation. | |||
| CVE-2021-34473 | unknown | — | 2.5 | 5y ago | Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. | |||
| CVE-2021-3828 | low | — | 2.5 | 5y ago | nltk is vulnerable to Inefficient Regular Expression Complexity | |||
| CVE-2021-37860 | low | — | 2.5 | 5y ago | Cross-site Scripting in Mattermost in github.com/mattermost/mattermost-server | |||
| CVE-2021-40839 | low | — | 2.5 | 5y ago | The rencode package through 1.0.6 for Python allows an infinite loop in typecode decoding (such as via ;\x2f\x7f), enabling a remote attack that consumes CPU and memory. | |||
| CVE-2021-25737 | low | — | 2.5 | 5y ago | A security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a Node. Kubernetes already prevents creation of Endpoint IPs in the localhost or … | |||
| CVE-2021-23437 | low | — | 2.5 | 5y ago | The package pillow from 0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function. | |||
| CVE-2021-39144 | unknown | — | 2.5 | 5y ago | XStream contains a remote code execution vulnerability that allows an attacker to manipulate the processed input stream and replace or inject objects that result in the execution of a local command o… | |||
| CVE-2021-22918 | low | — | 2.5 | 5y ago | Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uv__idna_toascii() is used to convert strings to ASCII. The pointer p is read and increased without checking whethe… | |||
| CVE-2021-3652 | low | — | 2.5 | 5y ago | RHSA-2021:3079: 389-ds:1.4 security and bug fix update (Low) | |||
| CVE-2021-29063 | low | — | 2.5 | 5y ago | A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Mpmath v1.0.0 when the mpmathify function is called. | |||
| CVE-2021-32813 | low | — | 2.5 | 5y ago | Header dropping in traefik in github.com/traefik/traefik | |||
| CVE-2021-36374 | low | — | 2.5 | 5y ago | Improper Handling of Length Parameter Inconsistency in Apache Ant | |||
| CVE-2021-36373 | low | — | 2.5 | 5y ago | Improper Handling of Length Parameter Inconsistency in Apache Ant | |||
| CVE-2021-21303 | low | — | 2.5 | 5y ago | insufficient validation in helm | |||
| CVE-2021-29957 | low | — | 2.5 | 5y ago | multiple issues in thunderbird | |||
| CVE-2021-29956 | low | — | 2.5 | 5y ago | multiple issues in thunderbird | |||
| CVE-2021-31542 | low | — | 2.5 | 5y ago | In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names. | |||
| CVE-2021-26813 | low | — | 2.5 | 5y ago | markdown2 >=1.0.1.18, fixed in 2.4.0, is affected by a regular expression denial of service vulnerability. If an attacker provides a malicious string, it can make markdown2 processing difficult or de… | |||
| CVE-2021-20201 | low | — | 2.5 | 5y ago | RHSA-2021:1924: spice security update (Low) | |||
| CVE-2021-23239 | low | — | 2.5 | 5y ago | The sudoedit personality of Sudo before 1.9.5 may allow a local unprivileged user to perform arbitrary directory-existence tests by winning a sudo_edit.c race condition in replacing a user-controlled… | |||
| CVE-2021-23240 | low | — | 2.5 | 5y ago | selinux_edit_copy_tfiles in sudoedit in Sudo before 1.9.5 allows a local unprivileged user to gain file ownership and escalate privileges by replacing a temporary file with a symlink to an arbitrary … |