CVEs from 2021
Total
4,791
critical
critical 281
high
high 1,022
medium
medium 1,179
low
low 138
% Critical
5.9%
% with KEV
4.4%
% with exploit
5.3%
Top vendors
Top products
- simatic_wincc_runtime_advanced 28
- office 13
- primavera_gateway 10
- weblogic_server 9
- primavera_unifier 8
- modicon_m340_bmxp342020 8
- log4j 8
- mbed_tls 8
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-22923 | medium | — | 5.5 | 5y ago | When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to e… | |||
| CVE-2021-22922 | medium | — | 5.5 | 5y ago | When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to … | |||
| CVE-2021-22924 | medium | — | 5.5 | 5y ago | libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take… | |||
| CVE-2021-39214 | medium | — | 5.5 | 5y ago | mitmproxy is an interactive, SSL/TLS-capable intercepting proxy. In mitmproxy 7.0.2 and below, a malicious client or server is able to perform HTTP request smuggling attacks through mitmproxy. This m… | |||
| CVE-2021-3653 | medium | — | 5.5 | 5y ago | A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a ne… | |||
| CVE-2021-32839 | medium | — | 5.5 | 5y ago | sqlparse is a non-validating SQL parser module for Python. In sqlparse versions 0.4.0 and 0.4.1 there is a regular Expression Denial of Service in sqlparse vulnerability. The regular expression may c… | |||
| CVE-2021-36156 | medium | — | 5.5 | 5y ago | Path traversal in Grafana Loki | |||
| CVE-2021-39163 | medium | — | 5.5 | 5y ago | Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the name, avatar, topic and number of members of a room if t… | |||
| CVE-2021-39164 | medium | — | 5.5 | 5y ago | Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the membership (list of members, with their display names) o… | |||
| CVE-2021-37701 | medium | — | 5.5 | 5y ago | RHSA-2022:0350: nodejs:14 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2021-37712 | medium | — | 5.5 | 5y ago | RHSA-2022:0350: nodejs:14 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2021-38553 | medium | — | 5.5 | 5y ago | HashiCorp Vault underlying database had excessively broad filesystem permissions from v1.4.0 until v1.8.0 in github.com/hashicorp/vault | |||
| CVE-2021-38554 | medium | — | 5.5 | 5y ago | Improper Removal of Sensitive Information Before Storage or Transfer in HashiCorp Vault in github.com/hashicorp/vault | |||
| CVE-2021-3712 | medium | — | 5.5 | 5y ago | RHSA-2021:5226: openssl security update (Moderate) | |||
| CVE-2021-22942 | medium | — | 5.5 | 5y ago | A possible open redirect vulnerability in the Host Authorization middleware in Action Pack >= 6.0.0 that could allow attackers to redirect users to a malicious website. | |||
| CVE-2021-3416 | medium | — | 5.5 | 5y ago | A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions up to and including 5.2.0. The issue occurs in loopback mode of a NIC wherein reentrant DMA c… | |||
| CVE-2021-20221 | medium | — | 5.5 | 5y ago | An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing … | |||
| CVE-2021-3504 | medium | — | 5.5 | 5y ago | RHSA-2021:3061: virt:rhel and virt-devel:rhel security and bug fix update (Moderate) | |||
| CVE-2021-28877 | medium | — | 5.5 | 5y ago | RHSA-2021:3063: rust-toolset:rhel8 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2021-28876 | medium | — | 5.5 | 5y ago | RHSA-2021:3063: rust-toolset:rhel8 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2021-28875 | medium | — | 5.5 | 5y ago | RHSA-2021:3063: rust-toolset:rhel8 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2021-3429 | medium | — | 5.5 | 5y ago | RHSA-2021:3081: cloud-init security update (Moderate) | |||
| CVE-2021-31162 | medium | — | 5.5 | 5y ago | RHSA-2021:3063: rust-toolset:rhel8 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2021-28879 | medium | — | 5.5 | 5y ago | RHSA-2021:3063: rust-toolset:rhel8 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2021-28878 | medium | — | 5.5 | 5y ago | RHSA-2021:3063: rust-toolset:rhel8 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2021-3798 | medium | — | 5.5 | 5y ago | RHBA-2021:3054: opencryptoki bug fix and enhancement update (Moderate) | |||
| CVE-2021-23418 | medium | — | 5.5 | 5y ago | The package glances before 3.2.1 are vulnerable to XML External Entity (XXE) Injection via the use of Fault to parse untrusted XML data, which is known to be vulnerable to XML attacks. | |||
| CVE-2021-32760 | medium | — | 5.5 | 5y ago | Archive package allows chmod of file outside of unpack target directory in github.com/containerd/containerd | |||
| CVE-2021-31292 | medium | — | 5.5 | 5y ago | RHSA-2021:4319: compat-exiv2-026 security update (Moderate) | |||
| CVE-2021-32610 | medium | — | 5.5 | 5y ago | RHSA-2022:7628: php:7.4 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2021-2369 | medium | — | 5.5 | 5y ago | RHSA-2021:4089: java-1.8.0-ibm security update (Moderate) | |||
| CVE-2021-2341 | medium | — | 5.5 | 5y ago | RHSA-2021:4089: java-1.8.0-ibm security update (Moderate) | |||
| CVE-2021-36213 | medium | — | 5.5 | 5y ago | HashiCorp Consul L7 deny intention results in an allow action in github.com/hashicorp/consul | |||
| CVE-2021-32574 | medium | — | 5.5 | 5y ago | Hashicorp Consul Missing SSL Certificate Validation in github.com/hashicorp/consul | |||
| CVE-2021-3602 | medium | — | 5.5 | 5y ago | RHSA-2021:4222: container-tools:3.0 security and bug fix update (Moderate) | |||
| CVE-2021-36753 | medium | — | 5.5 | 5y ago | Uncontrolled Search Path Element in sharkdp/bat | |||
| CVE-2021-32740 | medium | — | 5.5 | 5y ago | Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. An uncontrolled resource consumption vulnerability exists after version 2.3.0 through v… | |||
| CVE-2021-3520 | medium | — | 5.5 | 5y ago | RHSA-2021:2575: lz4 security update (Moderate) | |||
| CVE-2021-3516 | medium | — | 5.5 | 5y ago | There's a flaw in libxml2's xmllint in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by xmllint could trigger a use-after-free. The greatest impact of this … | |||
| CVE-2021-3541 | medium | — | 5.5 | 5y ago | A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service. | |||
| CVE-2021-28211 | medium | — | 5.5 | 5y ago | RHSA-2021:2591: edk2 security update (Moderate) | |||
| CVE-2021-3421 | medium | — | 5.5 | 5y ago | RHSA-2021:2574: rpm security update (Moderate) | |||
| CVE-2021-20271 | medium | — | 5.5 | 5y ago | RHSA-2021:2574: rpm security update (Moderate) | |||
| CVE-2021-3514 | medium | — | 5.5 | 5y ago | RHSA-2021:2595: 389-ds:1.4 security and bug fix update (Moderate) | |||
| CVE-2021-32690 | medium | — | 5.5 | 5y ago | information disclosure in helm | |||
| CVE-2021-32659 | medium | — | 5.5 | 5y ago | Automatic room upgrade handling can be used maliciously to bridge a room non-consentually | |||
| CVE-2021-31800 | medium | — | 5.5 | 5y ago | Multiple path traversal vulnerabilities exist in smbserver.py in Impacket through 0.9.22. An attacker that connects to a running smbserver instance can list and write to arbitrary files via ../ direc… | |||
| CVE-2021-33026 | medium | — | 5.5 | 5y ago | The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache st… | |||
| CVE-2021-26291 | medium | — | 5.5 | 5y ago | Origin Validation Error in Apache Maven | |||
| CVE-2021-34363 | medium | — | 5.5 | 5y ago | The thefuck (aka The Fuck) package before 3.31 for Python allows Path Traversal that leads to arbitrary file deletion via the "undo archive operation" feature. | |||
| CVE-2021-3013 | medium | — | 5.5 | 5y ago | ripgrep before 13 on Windows allows attackers to trigger execution of arbitrary programs from the current working directory via the -z/--search-zip or --pre flag. | |||
| CVE-2021-33880 | medium | — | 5.5 | 5y ago | The aaugustin websockets library before 9.1 for Python has an Observable Timing Discrepancy on servers when HTTP Basic Authentication is enabled with basic_auth_protocol_factory(credentials=...). An … | |||
| CVE-2021-33571 | medium | — | 5.5 | 5y ago | In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This m… | |||
| CVE-2021-33203 | medium | — | 5.5 | 5y ago | Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the exis… | |||
| CVE-2021-32677 | medium | — | 5.5 | 5y ago | FastAPI is a web framework for building APIs with Python 3.6+ based on standard Python type hints. FastAPI versions lower than 0.65.2 that used cookies for authentication in path operations that rece… | |||
| CVE-2021-32052 | medium | — | 5.5 | 5y ago | In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application… | |||
| CVE-2021-3533 | medium | — | 5.5 | 5y ago | A flaw was found in Ansible if an ansible user sets ANSIBLE_ASYNC_DIR to a subdirectory of a world writable directory. When this occurs, there is a race condition on the managed machine. A malicious,… | |||
| CVE-2021-32923 | medium | — | 5.5 | 5y ago | Invalid session token expiration in github.com/hashicorp/vault | |||
| CVE-2021-28677 | medium | — | 5.5 | 5y ago | RHSA-2021:4149: python-pillow security update (Moderate) | |||
| CVE-2021-25288 | medium | — | 5.5 | 5y ago | RHSA-2021:4149: python-pillow security update (Moderate) | |||
| CVE-2021-28678 | medium | — | 5.5 | 5y ago | RHSA-2021:4149: python-pillow security update (Moderate) | |||
| CVE-2021-28675 | medium | — | 5.5 | 5y ago | RHSA-2021:4149: python-pillow security update (Moderate) | |||
| CVE-2021-25287 | medium | — | 5.5 | 5y ago | RHSA-2021:4149: python-pillow security update (Moderate) | |||
| CVE-2021-28676 | medium | — | 5.5 | 5y ago | RHSA-2021:4149: python-pillow security update (Moderate) | |||
| CVE-2021-3522 | medium | 5.5 | 5.5 | 5y ago | GStreamer before 1.18.4 may perform an out-of-bounds read when handling certain ID3v2 tags. | |||
| CVE-2021-33038 | medium | — | 5.5 | 5y ago | An issue was discovered in management/commands/hyperkitty_import.py in HyperKitty through 1.3.4. When importing a private mailing list's archives, these archives are publicly visible for the duration… | |||
| CVE-2021-20178 | medium | — | 5.5 | 5y ago | information disclosure in ansible | |||
| CVE-2021-20191 | medium | — | 5.5 | 5y ago | information disclosure in ansible | |||
| CVE-2021-33503 | medium | — | 5.5 | 5y ago | RHSA-2021:4162: python38:3.8 and python38-devel:3.8 security update (Moderate) | |||
| CVE-2021-25735 | medium | — | 5.5 | 5y ago | A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Adm… | |||
| CVE-2021-21404 | medium | — | 5.5 | 5y ago | Syncthing is a continuous file synchronization program. In Syncthing before version 1.15.0, the relay server `strelaysrv` can be caused to crash and exit by sending a relay message with a negative le… | |||
| CVE-2021-3177 | medium | — | 5.5 | 5y ago | RHSA-2021:1879: python38:3.8 security update (Moderate) | |||
| CVE-2021-20225 | medium | — | 5.5 | 5y ago | RHSA-2021:2566: fwupd security update (Moderate) | |||
| CVE-2021-20233 | medium | — | 5.5 | 5y ago | RHSA-2021:2566: fwupd security update (Moderate) | |||
| CVE-2021-1817 | medium | — | 5.5 | 5y ago | A memory corruption issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.3, iOS 14.5 and iPadOS 14.5, watchOS 7.4, tvOS 14.5. Processing maliciously crafted web… | |||
| CVE-2021-1820 | medium | — | 5.5 | 5y ago | A memory initialization issue was addressed with improved memory handling. This issue is fixed in macOS Big Sur 11.3, iOS 14.5 and iPadOS 14.5, watchOS 7.4, tvOS 14.5. Processing maliciously crafted … | |||
| CVE-2021-1826 | medium | — | 5.5 | 5y ago | A logic issue was addressed with improved restrictions. This issue is fixed in macOS Big Sur 11.3, iOS 14.5 and iPadOS 14.5, watchOS 7.4, tvOS 14.5. Processing maliciously crafted web content may lea… | |||
| CVE-2021-1825 | medium | — | 5.5 | 5y ago | An input validation issue was addressed with improved input validation. This issue is fixed in iTunes 12.11.3 for Windows, iCloud for Windows 12.3, macOS Big Sur 11.3, Safari 14.1, watchOS 7.4, tvOS … | |||
| CVE-2021-3326 | medium | — | 5.5 | 5y ago | RHSA-2021:1585: glibc security, bug fix, and enhancement update (Moderate) | |||
| CVE-2021-20297 | medium | — | 5.5 | 5y ago | RHSA-2021:1574: NetworkManager and libnma security, bug fix, and enhancement update (Moderate) | |||
| CVE-2021-0326 | medium | — | 5.5 | 5y ago | RHSA-2021:1686: wpa_supplicant security, bug fix, and enhancement update (Moderate) | |||
| CVE-2021-29510 | medium | — | 5.5 | 5y ago | Pydantic is a data validation and settings management using Python type hinting. In affected versions passing either `'infinity'`, `'inf'` or `float('inf')` (or their negatives) to `datetime` or `dat… | |||
| CVE-2021-29471 | medium | — | 5.5 | 5y ago | Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.33.2 "Push … | |||
| CVE-2021-21430 | medium | — | 5.5 | 5y ago | Creation of Temporary File in Directory with Insecure Permissions in auto-generated Java, Scala code | |||
| CVE-2021-29262 | medium | — | 5.5 | 5y ago | Improper permission handling in Apache Solr | |||
| CVE-2021-27905 | medium | — | 5.5 | 5y ago | Server-Side Request Forgery in Apache Solr | |||
| CVE-2021-29943 | medium | — | 5.5 | 5y ago | Incorrect Authorization in Apache Solr | |||
| CVE-2021-21419 | medium | — | 5.5 | 5y ago | Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side… | |||
| CVE-2021-23362 | medium | — | 5.5 | 5y ago | RHSA-2021:3074: nodejs:14 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2021-22902 | medium | — | 5.5 | 5y ago | The actionpack ruby gem (a framework for handling and responding to web requests in Rails) before 6.0.3.7, 6.1.3.2 suffers from a possible denial of service vulnerability in the Mime type parser of A… | |||
| CVE-2021-22885 | medium | — | 5.5 | 5y ago | A possible information disclosure / unintended method execution vulnerability in Action Pack >= 2.0.0 when using the `redirect_to` or `polymorphic_url`helper with untrusted user input. | |||
| CVE-2021-22904 | medium | — | 5.5 | 5y ago | The actionpack ruby gem before 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 suffers from a possible denial of service vulnerability in the Token Authentication logic in Action Controller due to a too permissive … | |||
| CVE-2021-22903 | medium | — | 5.5 | 5y ago | The actionpack ruby gem before 6.1.3.2 suffers from a possible open redirect vulnerability. Specially crafted Host headers in combination with certain "allowed host" formats can cause the Host Author… | |||
| CVE-2021-31799 | medium | — | 5.5 | 5y ago | RHSA-2022:0672: ruby:2.5 security update (Moderate) | |||
| CVE-2021-23840 | medium | — | 5.5 | 5y ago | RHSA-2021:4424: openssl security and bug fix update (Moderate) | |||
| CVE-2021-23841 | medium | — | 5.5 | 5y ago | RHSA-2021:4424: openssl security and bug fix update (Moderate) | |||
| CVE-2021-29472 | medium | — | 5.5 | 5y ago | Composer is a dependency manager for PHP. URLs for Mercurial repositories in the root composer.json and package source download URLs are not sanitized correctly. Specifically crafted URL values allow… | |||
| CVE-2021-29425 | medium | — | 5.5 | 5y ago | Path Traversal and Improper Input Validation in Apache Commons IO | |||
| CVE-2021-20270 | medium | — | 5.5 | 5y ago | RHSA-2021:4151: python27:2.7 security update (Moderate) | |||
| CVE-2021-29421 | medium | — | 5.5 | 5y ago | models/metadata.py in the pikepdf package 1.3.0 through 2.9.2 for Python allows XXE when parsing XMP metadata entries. |