CVEs from 2021
Total
4,784
critical
critical 281
high
high 1,014
medium
medium 1,186
low
low 139
% Critical
5.9%
% with KEV
4.5%
% with exploit
5.4%
Top vendors
Top products
- simatic_wincc_runtime_advanced 28
- office 13
- primavera_gateway 10
- weblogic_server 9
- primavera_unifier 8
- modicon_m340_bmxp342020 8
- log4j 8
- mbed_tls 8
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-32773 | medium | — | 5.5 | — | Racket is a general-purpose programming language and an ecosystem for language-oriented programming. In versions prior to 8.2, code evaluated using the Racket sandbox could cause system modules to in… | |||
| CVE-2021-33366 | medium | — | 5.5 | — | Memory leak in the gf_isom_oinf_read_entry function in MP4Box in GPAC 1.0.1 allows attackers to read memory via a crafted file. | |||
| CVE-2021-33364 | medium | — | 5.5 | — | Memory leak in the def_parent_box_new function in MP4Box in GPAC 1.0.1 allows attackers to read memory via a crafted file. | |||
| CVE-2021-31262 | medium | — | 5.5 | — | The AV1_DuplicateConfig function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command. | |||
| CVE-2021-21898 | medium | — | 5.5 | — | A code execution vulnerability exists in the dwgCompressor::decompress18() functionality of LibreCad libdxfrw 2.2.0-rc2-19-ge02f3580. A specially-crafted .dwg file can lead to an out-of-bounds write.… | |||
| CVE-2021-33361 | medium | — | 5.5 | — | Memory leak in the afra_box_read function in MP4Box in GPAC 1.0.1 allows attackers to read memory via a crafted file. | |||
| CVE-2021-31261 | medium | — | 5.5 | — | The gf_hinter_track_new function in GPAC 1.0.1 allows attackers to read memory via a crafted file in the MP4Box command. | |||
| CVE-2021-21854 | medium | — | 5.5 | — | Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause… | |||
| CVE-2021-35958 | medium | — | 5.5 | — | TensorFlow through 2.5.0 allows attackers to overwrite arbitrary files via a crafted archive when tf.keras.utils.get_file is used with extract=True. NOTE: the vendor's position is that tf.keras.utils… | |||
| CVE-2021-34339 | medium | — | 5.5 | — | multiple issues in ming | |||
| CVE-2021-34342 | medium | — | 5.5 | — | multiple issues in ming | |||
| CVE-2021-33480 | medium | — | 5.5 | — | An use-after-free vulnerability was discovered in gocr through 0.53-20200802 in context_correction() in pgm2asc.c. | |||
| CVE-2021-31258 | medium | — | 5.5 | — | The gf_isom_set_extraction_slc function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command. | |||
| CVE-2021-44975 | medium | — | 5.5 | — | radareorg radare2 5.5.2 is vulnerable to Buffer Overflow via /libr/core/anal_objc.c mach-o parser. | |||
| CVE-2021-34825 | medium | — | 5.5 | — | Quassel through 0.13.1, when --require-ssl is enabled, launches without SSL or TLS support if a usable X.509 certificate is not found on the local system. | |||
| CVE-2021-42326 | medium | — | 5.5 | — | Redmine before 4.1.5 and 4.2.x before 4.2.3 may disclose the names of users on activity views due to an insufficient access filter. | |||
| CVE-2021-34528 | medium | — | 5.5 | — | multiple issues in code | |||
| CVE-2021-35058 | medium | — | 5.5 | — | multiple issues in hyperkitty | |||
| CVE-2021-22258 | medium | — | 5.5 | — | multiple issues in gitlab | |||
| CVE-2021-37595 | medium | — | 5.5 | — | In FreeRDP before 2.4.0 on Windows, wf_cliprdr_server_file_contents_request in client/Windows/wf_cliprdr.c has missing input checks for a FILECONTENTS_RANGE File Contents Request PDU. | |||
| CVE-2021-36081 | medium | — | 5.5 | — | Tesseract OCR 5.0.0-alpha-20201231 has a one_ell_conflict use-after-free during a strpbrk call. | |||
| CVE-2021-22186 | medium | — | 5.5 | — | multiple issues in gitlab | |||
| CVE-2021-30027 | medium | — | 5.5 | — | md_analyze_line in md4c.c in md4c 0.4.7 allows attackers to trigger use of uninitialized memory, and cause a denial of service via a malformed Markdown document. | |||
| CVE-2021-28899 | medium | — | 5.5 | — | multiple issues in live-media | |||
| CVE-2021-32492 | medium | — | 5.5 | — | A flaw was found in djvulibre-3.5.28 and earlier. An out of bounds read in function DJVU::DataPool::has_data() via crafted djvu file may lead to application crash and other consequences. | |||
| CVE-2021-32132 | medium | — | 5.5 | — | The abst_box_size function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command. | |||
| CVE-2021-30184 | medium | — | 5.5 | — | GNU Chess 6.2.7 allows attackers to execute arbitrary code via crafted PGN (Portable Game Notation) data. This is related to a buffer overflow in the use of a .tmp.epd temporary file in the cmd_pgnlo… | |||
| CVE-2021-23957 | medium | — | 5.5 | — | Navigations through the Android-specific `intent` URL scheme could have been misused to escape iframe sandbox. Note: This issue only affected Firefox for Android. Other operating systems are unaffect… | |||
| CVE-2021-30580 | medium | — | 5.5 | — | Insufficient policy enforcement in Android intents in Google Chrome prior to 92.0.4515.107 allowed an attacker who convinced a user to install a malicious application to obtain potentially sensitive … | |||
| CVE-2021-21858 | medium | — | 5.5 | — | Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause… | |||
| CVE-2021-1076 | medium | — | 5.5 | — | NVIDIA GPU Display Driver for Windows and Linux, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys or nvidia.ko) where improper access control may lead to denial of servic… | |||
| CVE-2021-42386 | medium | — | 5.5 | — | A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function | |||
| CVE-2021-23191 | medium | — | 5.5 | — | A security issue was found in htmldoc v1.9.12 and before. A NULL pointer dereference in the function image_load_jpeg() in image.cxx may result in denial of service. | |||
| CVE-2021-20229 | medium | — | 5.5 | — | A flaw was found in PostgreSQL in versions before 13.2. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat … | |||
| CVE-2021-30475 | medium | — | 5.5 | — | arbitrary code execution in aom | |||
| CVE-2021-31615 | medium | — | 5.5 | — | multiple issues in linux | |||
| CVE-2021-32491 | medium | — | 5.5 | — | A flaw was found in djvulibre-3.5.28 and earlier. An integer overflow in function render() in tools/ddjvu via crafted djvu file may lead to application crash and other consequences. | |||
| CVE-2021-3500 | medium | — | 5.5 | — | A flaw was found in djvulibre-3.5.28 and earlier. A Stack overflow in function DJVU::DjVuDocument::get_djvu_file() via crafted djvu file may lead to application crash and other consequences. | |||
| CVE-2021-42378 | medium | — | 5.5 | — | A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function | |||
| CVE-2021-42376 | medium | — | 5.5 | — | A NULL pointer dereference in Busybox's hush applet leads to denial of service when processing a crafted shell command, due to missing validation after a \x03 delimiter character. This may be used fo… | |||
| CVE-2021-23169 | medium | — | 5.5 | — | A heap-buffer overflow was found in the copyIntoFrameBuffer function of OpenEXR in versions before 3.0.1. An attacker could use this flaw to execute arbitrary code with the permissions of the user ru… | |||
| CVE-2021-23158 | medium | — | 5.5 | — | A flaw was found in htmldoc in v1.9.12. Double-free in function pspdf_export(),in ps-pdf.cxx may result in a write-what-where condition, allowing an attacker to execute arbitrary code and denial of s… | |||
| CVE-2021-23165 | medium | — | 5.5 | — | A flaw was found in htmldoc before v1.9.12. Heap buffer overflow in pspdf_prepare_outpages(), in ps-pdf.cxx may lead to execute arbitrary code and denial of service. | |||
| CVE-2021-26948 | medium | — | 5.5 | — | Null pointer dereference in the htmldoc v1.9.11 and before may allow attackers to execute arbitrary code and cause a denial of service via a crafted html file. | |||
| CVE-2021-36976 | medium | — | 5.5 | — | libarchive 3.4.1 through 3.5.1 has a use-after-free in copy_string (called from do_uncompress_block and process_block). | |||
| CVE-2021-42380 | medium | — | 5.5 | — | A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function | |||
| CVE-2021-39930 | medium | — | 5.5 | — | multiple issues in gitlab | |||
| CVE-2021-31879 | medium | — | 5.5 | — | GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007. | |||
| CVE-2021-3561 | medium | — | 5.5 | — | An Out of Bounds flaw was found fig2dev version 3.2.8a. A flawed bounds check in read_objects() could allow an attacker to provide a crafted malicious input causing the application to either crash or… | |||
| CVE-2021-34555 | medium | — | 5.5 | — | OpenDMARC 1.4.1 and 1.4.1.1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a multi-value From header field. | |||
| CVE-2021-23976 | medium | — | 5.5 | — | When accepting a malicious intent from other installed apps, Firefox for Android accepted manifests from arbitrary file paths and allowed declaring webapp manifests for other origins. This could be u… | |||
| CVE-2021-22117 | medium | — | 5.5 | — | RabbitMQ installers on Windows prior to version 3.8.16 do not harden plugin directory permissions, potentially allowing attackers with sufficient local filesystem permissions to add arbitrary plugins. | |||
| CVE-2021-23159 | medium | — | 5.5 | — | A vulnerability was found in SoX, where a heap-buffer-overflow occurs in function lsx_read_w_buf() in formats_i.c file. The vulnerability is exploitable with a crafted file, that could cause an appli… | |||
| CVE-2021-23210 | medium | — | 5.5 | — | A floating point exception (divide-by-zero) issue was discovered in SoX in functon read_samples() of voc.c file. An attacker with a crafted file, could cause an application to crash. | |||
| CVE-2021-42382 | medium | — | 5.5 | — | A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function | |||
| CVE-2021-42374 | medium | — | 5.5 | — | An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format th… | |||
| CVE-2021-41991 | medium | — | 5.5 | — | The in-memory certificate cache in strongSwan before 5.9.4 has a remote integer overflow upon receiving many requests with different certificates to fill the cache and later trigger the replacement o… | |||
| CVE-2021-3605 | medium | — | 5.5 | — | There's a flaw in OpenEXR's rleUncompress functionality in versions prior to 3.0.5. An attacker who is able to submit a crafted file to an application linked with OpenEXR could cause an out-of-bounds… | |||
| CVE-2021-4001 | medium | — | 5.5 | — | A race condition was found in the Linux kernel's ebpf verifier between bpf_map_update_elem and bpf_map_freeze due to a missing lock in kernel/bpf/syscall.c. In this flaw, a local user with a special … | |||
| CVE-2021-4095 | medium | — | 5.5 | — | A NULL pointer dereference was found in the Linux kernel's KVM when dirty ring logging is enabled without an active vCPU context. An unprivileged local attacker on the host may use this flaw to cause… | |||
| CVE-2021-32438 | medium | — | 5.5 | — | The gf_media_export_filters function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command. | |||
| CVE-2021-22169 | medium | — | 5.5 | — | information disclosure in gitlab | |||
| CVE-2021-30583 | medium | — | 5.5 | — | Insufficient policy enforcement in image handling in iOS in Google Chrome on iOS prior to 92.0.4515.107 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||
| CVE-2021-38291 | medium | — | 5.5 | — | FFmpeg version (git commit de8e6e67e7523e48bb27ac224a0b446df05e1640) suffers from a an assertion failure at src/libavutil/mathematics.c. | |||
| CVE-2021-22563 | medium | — | 5.5 | — | Invalid JPEG XL images using libjxl can cause an out of bounds access on a std::vector<std::vector<T>> when rendering splines. The OOB read access can either lead to a segfault, or rendering splines … | |||
| CVE-2021-27400 | medium | — | 5.5 | — | certificate verification bypass in vault | |||
| CVE-2021-26937 | medium | — | 5.5 | — | encoding.c in GNU Screen through 4.8.0 allows remote attackers to cause a denial of service (invalid write access and application crash) or possibly have unspecified other impact via a crafted UTF-8 … | |||
| CVE-2021-3598 | medium | — | 5.5 | — | There's a flaw in OpenEXR's ImfDeepScanLineInputFile functionality in versions prior to 3.0.5. An attacker who is able to submit a crafted file to an application linked with OpenEXR could cause an ou… | |||
| CVE-2021-22879 | medium | — | 5.5 | — | Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowing a malicious server to execute remote commands. User interaction is needed fo… | |||
| CVE-2021-28041 | medium | — | 5.5 | — | ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an … | |||
| CVE-2021-3760 | medium | — | 5.5 | — | A flaw was found in the Linux kernel. A use-after-free vulnerability in the NFC stack can lead to a threat to confidentiality, integrity, and system availability. | |||
| CVE-2021-38166 | medium | — | 5.5 | — | In kernel/bpf/hashtab.c in the Linux kernel through 5.13.8, there is an integer overflow and out-of-bounds write when many elements are placed in a single bucket. NOTE: exploitation might be impracti… | |||
| CVE-2021-44143 | medium | — | 5.5 | — | A flaw was found in mbsync in isync 1.4.0 through 1.4.3. Due to an unchecked condition, a malicious or compromised IMAP server could use a crafted mail message that lacks headers (i.e., one that star… | |||
| CVE-2021-32493 | medium | — | 5.5 | — | A flaw was found in djvulibre-3.5.28 and earlier. A heap buffer overflow in function DJVU::GBitmap::decode() via crafted djvu file may lead to application crash and other consequences. | |||
| CVE-2021-31257 | medium | — | 5.5 | — | The HintFile function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command. | |||
| CVE-2021-31259 | medium | — | 5.5 | — | The gf_isom_cenc_get_default_info_internal function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command. | |||
| CVE-2021-21834 | medium | — | 5.5 | — | An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input when decoding th… | |||
| CVE-2021-21844 | medium | — | 5.5 | — | Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input when enco… | |||
| CVE-2021-21851 | medium | — | 5.5 | — | Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input at “csgp”… | |||
| CVE-2021-21860 | medium | — | 5.5 | — | An exploitable integer truncation vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an i… | |||
| CVE-2021-23959 | medium | — | 5.5 | — | An XSS bug in internal error pages could have led to various spoofing attacks, including other error pages and the address bar. Note: This issue only affected Firefox for Android. Other operating sys… | |||
| CVE-2021-37969 | medium | — | 5.5 | — | Inappropriate implementation in Google Updater in Google Chrome on Windows prior to 94.0.4606.54 allowed a remote attacker to perform local privilege escalation via a crafted file. | |||
| CVE-2021-20294 | medium | — | 5.5 | — | A flaw was found in binutils readelf 2.35 program. An attacker who is able to convince a victim using readelf to read a crafted file could trigger a stack buffer overflow, out-of-bounds write of arbi… | |||
| CVE-2021-3610 | medium | — | 5.5 | — | A heap-based buffer overflow vulnerability was found in ImageMagick in versions prior to 7.0.11-14 in ReadTIFFImage() in coders/tiff.c. This issue is due to an incorrect setting of the pixel array si… | |||
| CVE-2021-3962 | medium | — | 5.5 | — | A flaw was found in ImageMagick where it did not properly sanitize certain input before using it to invoke convert processes. This flaw allows an attacker to create a specially crafted image that lea… | |||
| CVE-2021-21706 | medium | — | 5.5 | — | In PHP versions 7.3.x below 7.3.31, 7.4.x below 7.4.24 and 8.0.x below 8.0.11, in Microsoft Windows environment, ZipArchive::extractTo may be tricked into writing a file outside target directory when… | |||
| CVE-2021-36980 | medium | — | 5.5 | — | Open vSwitch (aka openvswitch) 2.11.0 through 2.15.0 has a use-after-free in decode_NXAST_RAW_ENCAP (called from ofpact_decode and ofpacts_decode) during the decoding of a RAW_ENCAP action. | |||
| CVE-2021-32490 | medium | — | 5.5 | — | A flaw was found in djvulibre-3.5.28 and earlier. An out of bounds write in function DJVU::filter_bv() via crafted djvu file may lead to application crash and other consequences. | |||
| CVE-2021-36754 | medium | — | 5.5 | — | PowerDNS Authoritative Server 4.5.0 before 4.5.1 allows anybody to crash the process by sending a specific query (QTYPE 65535) that causes an out-of-bounds exception. | |||
| CVE-2021-3418 | medium | — | 5.5 | — | If certificates that signed grub are installed into db, grub can be booted directly. It will then boot any kernel without signature validation. The booted kernel will think it was booted in secureboo… | |||
| CVE-2021-21704 | medium | — | 5.5 | — | In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using Firebird PDO driver extension, a malicious database server could cause crashes in various database functions, … | |||
| CVE-2021-44541 | medium | — | 5.5 | — | A vulnerability was found in Privoxy which was fixed in process_encrypted_request_headers() by freeing header memory when failing to get the request destination. | |||
| CVE-2021-31255 | medium | — | 5.5 | — | Buffer overflow in the abst_box_read function in MP4Box in GPAC 1.0.1 allows attackers to cause a denial of service or execute arbitrary code via a crafted file. | |||
| CVE-2021-34341 | medium | — | 5.5 | — | multiple issues in ming | |||
| CVE-2021-34340 | medium | — | 5.5 | — | multiple issues in ming | |||
| CVE-2021-37232 | medium | — | 5.5 | — | A stack overflow vulnerability occurs in Atomicparsley 20210124.204813.840499f through APar_read64() in src/util.cpp due to the lack of buffer size of uint32_buffer while reading more bytes in APar_r… | |||
| CVE-2021-30159 | medium | — | 5.5 | — | An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Users can bypass intended restrictions on deleting pages in certain "fast double move" situations. MovePag… | |||
| CVE-2021-40145 | medium | — | 5.5 | — | gdImageGd2Ptr in gd_gd2.c in the GD Graphics Library (aka LibGD) through 2.3.2 has a double free. NOTE: the vendor's position is "The GD2 image format is a proprietary image format of libgd. It has t… | |||
| CVE-2021-3770 | medium | — | 5.5 | — | vim is vulnerable to Heap-based Buffer Overflow | |||
| CVE-2021-32134 | medium | — | 5.5 | — | The gf_odf_desc_copy function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command. |