CVEs from 2021
Total
4,791
critical
critical 281
high
high 1,022
medium
medium 1,179
low
low 138
% Critical
5.9%
% with KEV
4.4%
% with exploit
5.3%
Top vendors
Top products
- simatic_wincc_runtime_advanced 28
- office 13
- primavera_gateway 10
- weblogic_server 9
- primavera_unifier 8
- modicon_m340_bmxp342020 8
- log4j 8
- mbed_tls 8
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-23463 | unknown | — | — | 5y ago | Improper Restriction of XML External Entity Reference in com.h2database:h2. | |||
| CVE-2021-44549 | unknown | — | — | 5y ago | Improper Certificate Validation and Improper Validation of Certificate with Host Mismatch in Apache Sling Commons Messaging Mail | |||
| CVE-2021-43113 | unknown | — | — | 5y ago | Command injection in itext7-core | |||
| CVE-2021-43821 | unknown | — | — | 5y ago | Files Accessible to External Parties in Opencast | |||
| CVE-2021-43807 | unknown | — | — | 5y ago | HTTP Method Spoofing | |||
| CVE-2021-42567 | unknown | — | — | 5y ago | Cross-site Scripting in Apereo CAS | |||
| CVE-2021-43795 | unknown | — | — | 5y ago | Path Traversal in com.linecorp.armeria:armeria | |||
| CVE-2021-40369 | unknown | — | — | 5y ago | Apache JSPWiki Cross-site Scripting due to carefully crafted plugin link invocation | |||
| CVE-2021-22095 | unknown | — | — | 5y ago | Deserialization of Untrusted Data in Spring AMQP | |||
| CVE-2021-44140 | unknown | — | — | 5y ago | Incorrect Default Permissions in Apache JSPWiki | |||
| CVE-2021-40830 | unknown | — | — | 5y ago | Improper certificate management in AWS IoT Device SDK v2 | |||
| CVE-2021-40829 | unknown | — | — | 5y ago | Improper certificate management in AWS IoT Device SDK v2 | |||
| CVE-2021-40828 | unknown | — | — | 5y ago | Improper certificate management in AWS IoT Device SDK v2 | |||
| CVE-2021-41270 | unknown | — | — | 5y ago | Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 bef… | |||
| CVE-2021-40831 | unknown | — | — | 5y ago | Improper certificate management in AWS IoT Device SDK v2 | |||
| CVE-2021-41268 | unknown | — | — | 5y ago | Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie in version… | |||
| CVE-2021-41267 | unknown | — | — | 5y ago | Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the "trusted_headers"… | |||
| CVE-2021-39231 | unknown | — | — | 5y ago | Exposure of sensitive information in Apache Ozone | |||
| CVE-2021-39233 | unknown | — | — | 5y ago | Incorrect Authorization in Apache Ozone | |||
| CVE-2021-41532 | unknown | — | — | 5y ago | Apache Ozone exposes OM, SCM and Datanode metadata | |||
| CVE-2021-39235 | unknown | — | — | 5y ago | Incorrect permissions in Apache Ozone | |||
| CVE-2021-36372 | unknown | — | — | 5y ago | Improper Privilege Management in Apache Ozone | |||
| CVE-2021-39232 | unknown | — | — | 5y ago | Incorrect Authorization in Apache Ozone | |||
| CVE-2021-39236 | unknown | — | — | 5y ago | Apache Ozone user impersonation due to non-validation of Ozone S3 tokens | |||
| CVE-2021-39234 | unknown | — | — | 5y ago | Incorrect Authorization in Apache Ozone | |||
| CVE-2021-22053 | unknown | — | — | 5y ago | Code injection in spring-cloud-netflix-hystrix-dashboard | |||
| CVE-2021-37580 | unknown | — | — | 5y ago | Improper Authentication in Apache ShenYu Admin | |||
| CVE-2021-45710 | unknown | — | — | 5y ago | An issue was discovered in the tokio crate before 1.8.4, and 1.9.x through 1.13.x before 1.13.1, for Rust. In certain circumstances involving a closed oneshot channel, there is a data race and memory… | |||
| CVE-2021-41269 | unknown | — | — | 5y ago | Critical vulnerability found in cron-utils | |||
| CVE-2021-43570 | unknown | — | — | 5y ago | Improper Verification of Cryptographic Signature in starkbank-ecdsa | |||
| CVE-2021-3909 | unknown | — | — | 5y ago | OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests… | |||
| CVE-2021-43466 | unknown | — | — | 5y ago | Template injection in thymeleaf-spring5 | |||
| CVE-2021-22051 | unknown | — | — | 5y ago | Request injection in Spring Cloud Gateway | |||
| CVE-2021-33611 | unknown | — | — | 5y ago | Reflected cross-site scripting in vaadin-menu-bar webjar resources in Vaadin 14 | |||
| CVE-2021-41973 | unknown | — | — | 5y ago | Infinite loop in Apache MINA | |||
| CVE-2021-27644 | unknown | — | — | 5y ago | SQL injection in Apache DolphinScheduler | |||
| CVE-2021-41189 | unknown | — | — | 5y ago | Communities and collections administrators can escalate their privilege up to system administrator | |||
| CVE-2021-40865 | unknown | — | — | 5y ago | Deserialization of Untrusted Data leading to Remote Code Execution in Apache Storm | |||
| CVE-2021-41184 | unknown | — | — | 5y ago | XSS in the `of` option of the `.position()` util in jquery-ui | |||
| CVE-2021-41182 | unknown | — | — | 5y ago | XSS in the `altField` option of the Datepicker widget in jquery-ui | |||
| CVE-2021-41183 | unknown | — | — | 5y ago | XSS in `*Text` options of the Datepicker widget in jquery-ui | |||
| CVE-2021-42575 | unknown | — | — | 5y ago | Policies not properly enforced in OWASP Java HTML Sanitizer | |||
| CVE-2021-33609 | unknown | — | — | 5y ago | Denial of service in DataCommunicator class in Vaadin 8 | |||
| CVE-2021-25738 | unknown | — | — | 5y ago | Code injection in Kubernetes Java Client | |||
| CVE-2021-3312 | unknown | — | — | 5y ago | XML External Entity Reference in org.opencms:opencms-core | |||
| CVE-2021-28170 | unknown | — | — | 5y ago | Improper Input Validation in Jakarta Expression Language | |||
| CVE-2021-41862 | unknown | — | — | 5y ago | Expression injection in AviatorScript | |||
| CVE-2021-41616 | unknown | — | — | 5y ago | Deserialization of Untrusted Data in org.apache.ddlutils:ddlutils | |||
| CVE-2021-25959 | unknown | — | — | 5y ago | Cross-site Scripting in OpenCRX | |||
| CVE-2021-36749 | unknown | — | — | 5y ago | Druid ingestion system Authenticated users can read data from other sources than intended | |||
| CVE-2021-38153 | unknown | — | — | 5y ago | Observable Discrepancy in Apache Kafka | |||
| CVE-2021-41084 | unknown | — | — | 5y ago | Response Splitting from unsanitized headers | |||
| CVE-2021-26333 | unknown | — | — | 5y ago | An information disclosure vulnerability exists in AMD Platform Security Processor (PSP) chipset driver. The discretionary access control list (DACL) may allow low privileged users to open a handle an… | |||
| CVE-2021-40690 | unknown | — | — | 5y ago | Exposure of Sensitive Information to an Unauthorized Actor in Apache Santuario | |||
| CVE-2021-41079 | unknown | — | — | 5y ago | Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a spec… | |||
| CVE-2021-22147 | unknown | — | — | 5y ago | Exposure of sensitive information in Elasticsearch | |||
| CVE-2021-39239 | unknown | — | — | 5y ago | XML External Entity Reference in Apache Jena | |||
| CVE-2021-41303 | unknown | — | — | 5y ago | Apache Shiro vulnerable to a specially crafted HTTP request causing an authentication bypass | |||
| CVE-2021-40146 | unknown | — | — | 5y ago | Remote Code Execution in Any23 | |||
| CVE-2021-38555 | unknown | — | — | 5y ago | XML Injection in Any23 | |||
| CVE-2021-37579 | unknown | — | — | 5y ago | Security check skip in Apache Dubbo | |||
| CVE-2021-36161 | unknown | — | — | 5y ago | Remote Code Execution in Apache Dubbo | |||
| CVE-2021-36162 | unknown | — | — | 5y ago | Remote Code Execution in Apache Dubbo | |||
| CVE-2021-36163 | unknown | — | — | 5y ago | Hessian protocol configuration vulnerability in Apache Dubbo | |||
| CVE-2021-40143 | unknown | — | — | 5y ago | HTTP header injection in Sonatype Nexus Repository | |||
| CVE-2021-39194 | unknown | — | — | 5y ago | Improper Handling of Missing Values in kaml | |||
| CVE-2021-39177 | unknown | — | — | 5y ago | User impersonation due to incorrect handling of the login JWT | |||
| CVE-2021-27578 | unknown | — | — | 5y ago | Cross-site Scripting in Apache Zeppelin | |||
| CVE-2021-39185 | unknown | — | — | 5y ago | Default CORS config allows any origin with credentials | |||
| CVE-2021-34371 | unknown | — | — | 5y ago | Deserialization of Untrusted Data in Neo4j | |||
| CVE-2021-39132 | unknown | — | — | 5y ago | YAML deserialization can run untrusted code | |||
| CVE-2021-39133 | unknown | — | — | 5y ago | Cross-Site Request Forgery (CSRF) can run untrusted code on Rundeck server | |||
| CVE-2021-39134 | unknown | — | — | 5y ago | `@npmcli/arborist`, the library that calculates dependency trees and manages the `node_modules` folder hierarchy for the npm command line interface, aims to guarantee that package dependency contract… | |||
| CVE-2021-39135 | unknown | — | — | 5y ago | `@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts … | |||
| CVE-2021-32827 | unknown | — | — | 5y ago | Injection in MockServer | |||
| CVE-2021-33605 | unknown | — | — | 5y ago | Unauthorized property update in CheckboxGroup component in Vaadin 12-14 and 15-20 | |||
| CVE-2021-39139 | unknown | — | — | 5y ago | XStream is vulnerable to an Arbitrary Code Execution attack | |||
| CVE-2021-39140 | unknown | — | — | 5y ago | XStream can cause a Denial of Service | |||
| CVE-2021-39141 | unknown | — | — | 5y ago | XStream is vulnerable to an Arbitrary Code Execution attack | |||
| CVE-2021-39145 | unknown | — | — | 5y ago | XStream is vulnerable to an Arbitrary Code Execution attack | |||
| CVE-2021-39146 | unknown | — | — | 5y ago | XStream is vulnerable to an Arbitrary Code Execution attack | |||
| CVE-2021-39147 | unknown | — | — | 5y ago | XStream is vulnerable to an Arbitrary Code Execution attack | |||
| CVE-2021-39148 | unknown | — | — | 5y ago | XStream is vulnerable to an Arbitrary Code Execution attack | |||
| CVE-2021-39149 | unknown | — | — | 5y ago | XStream is vulnerable to an Arbitrary Code Execution attack | |||
| CVE-2021-39150 | unknown | — | — | 5y ago | A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host | |||
| CVE-2021-39151 | unknown | — | — | 5y ago | XStream is vulnerable to an Arbitrary Code Execution attack | |||
| CVE-2021-39152 | unknown | — | — | 5y ago | A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host | |||
| CVE-2021-39153 | unknown | — | — | 5y ago | XStream is vulnerable to an Arbitrary Code Execution attack | |||
| CVE-2021-39154 | unknown | — | — | 5y ago | XStream is vulnerable to an Arbitrary Code Execution attack | |||
| CVE-2021-37714 | unknown | — | — | 5y ago | Uncaught Exception in jsoup | |||
| CVE-2021-33348 | unknown | — | — | 5y ago | Cross-site scripting in jfinal | |||
| CVE-2021-26920 | unknown | — | — | 5y ago | Druid ingestion system Authenticated users can read data from other sources than intended | |||
| CVE-2021-33192 | unknown | — | — | 5y ago | Cross-site scripting in Apache Jena Fuseki | |||
| CVE-2021-30640 | unknown | — | — | 5y ago | A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This… | |||
| CVE-2021-33037 | unknown | — | — | 5y ago | Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request… | |||
| CVE-2021-30639 | unknown | — | — | 5y ago | A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the e… | |||
| CVE-2021-37578 | unknown | — | — | 5y ago | Deserialization of Untrusted Data in Apache jUDDI | |||
| CVE-2021-22144 | unknown | — | — | 5y ago | Denial of Service in Elasticsearch | |||
| CVE-2021-33900 | unknown | — | — | 5y ago | Missing encryption in Apache Directory Studio | |||
| CVE-2021-23408 | unknown | — | — | 5y ago | Prototype Pollution in GraphHopper |