CVEs from 2021
Total
4,786
critical
critical 281
high
high 1,022
medium
medium 1,179
low
low 138
% Critical
5.9%
% with KEV
4.5%
% with exploit
5.3%
Top vendors
Top products
- simatic_wincc_runtime_advanced 28
- office 13
- primavera_gateway 10
- weblogic_server 9
- primavera_unifier 8
- modicon_m340_bmxp342020 8
- log4j 8
- mbed_tls 8
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-47173 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: misc/uss720: fix memory leak in uss720_probe uss720_probe forgets to decrease the refcount of usbdev in uss720_probe. Fix this by… | |||
| CVE-2021-47176 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: s390/dasd: add missing discipline function Fix crash with illegal operation exception in dasd_device_tasklet. Commit b72949328869… | |||
| CVE-2021-47177 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix sysfs leak in alloc_iommu() iommu_device_sysfs_add() is called before, so is has to be cleaned on subsequent erro… | |||
| CVE-2021-47180 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: NFC: nci: fix memory leak in nci_allocate_device nfcmrvl_disconnect fails to free the hci_dev field in struct nci_dev. Fix this b… | |||
| CVE-2021-47181 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: usb: musb: tusb6010: check return value after calling platform_get_resource() It will cause null-ptr-deref if platform_get_resour… | |||
| CVE-2021-47183 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix link down processing to address NULL pointer dereference If an FC link down transition while PLOGIs are outstandi… | |||
| CVE-2021-47184 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: i40e: Fix NULL ptr dereference on VSI filter sync Remove the reason of null pointer dereference in sync VSI filters. Added new I4… | |||
| CVE-2021-47187 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: arm64: dts: qcom: msm8998: Fix CPU/L2 idle state latency and residency The entry/exit latency and minimum residency in state for … | |||
| CVE-2021-47186 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: tipc: check for null after calling kmemdup kmemdup can return a null pointer so need to check for it, otherwise the null key will… | |||
| CVE-2021-47189 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory ordering between normal and ordered work functions Ordered work functions aren't guaranteed to be handled by th… | |||
| CVE-2021-47190 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: perf bpf: Avoid memory leak from perf_env__insert_btf() perf_env__insert_btf() doesn't insert if a duplicate BTF id is encountere… | |||
| CVE-2021-47192 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: scsi: core: sysfs: Fix hang when device state is set via sysfs This fixes a regression added with: commit f0f82e2476f6 ("scsi: c… | |||
| CVE-2021-47196 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Set send and receive CQ before forwarding to the driver Preset both receive and send CQ pointers prior to call to the … | |||
| CVE-2021-47193 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: scsi: pm80xx: Fix memory leak during rmmod Driver failed to release all memory allocated. This would lead to memory leak during d… | |||
| CVE-2021-47195 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: spi: fix use-after-free of the add_lock mutex Commit 6098475d4cb4 ("spi: Fix deadlock when adding SPI controllers on SPI buses") … | |||
| CVE-2021-47198 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix use-after-free in lpfc_unreg_rpi() routine An error is detected with the following report when unloading the driv… | |||
| CVE-2021-47227 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Prevent state corruption in __fpu__restore_sig() The non-compacted slowpath uses __copy_from_user() and copies the entir… | |||
| CVE-2021-47228 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: x86/ioremap: Map EFI-reserved memory as encrypted for SEV Some drivers require memory that is marked as EFI boot services data. I… | |||
| CVE-2021-47229 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: PCI: aardvark: Fix kernel panic during PIO transfer Trying to start a new PIO transfer by writing value 0 in PIO_START register w… | |||
| CVE-2021-47235 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: net: ethernet: fix potential use-after-free in ec_bhf_remove static void ec_bhf_remove(struct pci_dev *dev) { ... struct ec_bhf_… | |||
| CVE-2021-47237 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: net: hamradio: fix memory leak in mkiss_close My local syzbot instance hit memory leak in mkiss_open()[1]. The problem was in mis… | |||
| CVE-2021-47240 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: net: qrtr: fix OOB Read in qrtr_endpoint_post Syzbot reported slab-out-of-bounds Read in qrtr_endpoint_post. The problem was in w… | |||
| CVE-2021-47238 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: net: ipv4: fix memory leak in ip_mc_add1_src BUG: memory leak unreferenced object 0xffff888101bc4c00 (size 32): comm "syz-execu… | |||
| CVE-2021-46747 | unknown | — | — | 6d ago | Insufficient granularity of access control in ASP (AMD Secure Processor) may allow an attacker with an untrusted user space application to map sensitive SMN (System Management Network) apertures lead… | |||
| CVE-2021-47621 | unknown | — | — | 2y ago | ClassGraph XML External Entity Reference | |||
| CVE-2021-3754 | unknown | — | — | 2y ago | Keycloak's improper input validation allows using email as username | |||
| CVE-2021-22573 | unknown | — | — | 2y ago | google-oauth-java-client improperly verifies cryptographic signature | |||
| CVE-2021-28656 | unknown | — | — | 2y ago | Apache Zeppelin CSRF vulnerability in the Credentials page | |||
| CVE-2021-29038 | unknown | — | — | 2y ago | Liferay Portal and Liferay DXP Does Not Obfuscate Password Reminder Answers | |||
| CVE-2021-29050 | unknown | — | — | 2y ago | Liferay Portal and Liferay DXP Vulnerable to Cross-Site Request Forgery in Terms of Use Page | |||
| CVE-2021-37942 | unknown | — | — | 3y ago | APM Java Agent Local Privilege Escalation issue | |||
| CVE-2021-32050 | unknown | — | — | 3y ago | Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data… | |||
| CVE-2021-28655 | unknown | — | — | 3y ago | Apache Zeppelin Improper Input Validation vulnerability | |||
| CVE-2021-31635 | unknown | — | — | 3y ago | jFinal Server-Side Template Injection vulnerability | |||
| CVE-2021-40331 | unknown | — | — | 3y ago | Apache Ranger Hive Plugin missing permissions check | |||
| CVE-2021-28235 | unknown | — | — | 3y ago | Authentication vulnerability found in Etcd-io v.3.4.10 allows remote attackers to escalate privileges via the debug function. | |||
| CVE-2021-46877 | unknown | — | — | 3y ago | jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonN… | |||
| CVE-2021-37305 | unknown | — | — | 3y ago | Insecure Permissions issue in jeecg-boot | |||
| CVE-2021-37304 | unknown | — | — | 3y ago | Insecure Permissions issue in jeecg-boot | |||
| CVE-2021-37306 | unknown | — | — | 3y ago | Insecure Permissions issue in jeecg-boot | |||
| CVE-2021-32828 | unknown | — | — | 4y ago | Nuxeo vulnerable to Reflected Cross-Site Scripting leading to Remote Code Execution | |||
| CVE-2021-32824 | unknown | — | — | 4y ago | Apache Dubbo vulnerable to remote code execution via Telnet Handler | |||
| CVE-2021-37533 | unknown | — | — | 4y ago | Apache Commons Net vulnerable to information leakage via malicious server | |||
| CVE-2021-42010 | unknown | — | — | 4y ago | Heron allows CRLF log injection | |||
| CVE-2021-43980 | unknown | — | — | 4y ago | The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in … | |||
| CVE-2021-43565 | unknown | — | — | 4y ago | The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server. | |||
| CVE-2021-3644 | unknown | — | — | 4y ago | wildfly-core allows user with access to management interface to access vault expression, retrieve item from vault | |||
| CVE-2021-3856 | unknown | — | — | 4y ago | Keycloak has Files or Directories Accessible to External Parties | |||
| CVE-2021-25642 | unknown | — | — | 4y ago | Deserialization of Untrusted Data in Apache Hadoop YARN | |||
| CVE-2021-42521 | unknown | — | — | 4y ago | There is a NULL pointer dereference vulnerability in VTK before 9.2.5, and it lies in IO/Infovis/vtkXMLTreeReader.cxx. The vendor didn't check the return value of libxml2 API 'xmlDocGetRootElement', … | |||
| CVE-2021-3914 | unknown | — | — | 4y ago | SmallRye Health UI Cross-site Scripting vulnerability | |||
| CVE-2021-4040 | unknown | — | — | 4y ago | org.apache.activemq:artemis-core-client Vulnerable to Out-of-Bounds Write | |||
| CVE-2021-34538 | unknown | — | — | 4y ago | Apache Hive before 3.1.3 `CREATE` and `DROP` function operations do not check for necessary authorization. | |||
| CVE-2021-3859 | unknown | — | — | 4y ago | Undertow vulnerable to Denial of Service (DoS) attacks | |||
| CVE-2021-3690 | unknown | — | — | 4y ago | Undertow vulnerable to memory exhaustion due to buffer leak | |||
| CVE-2021-4178 | unknown | — | — | 4y ago | fabric8 kubernetes-client vulnerable | |||
| CVE-2021-44791 | unknown | — | — | 4y ago | Apache Druid before 0.23.0 vulnerable to reflected XSS via unescaped URL parameters | |||
| CVE-2021-41042 | unknown | — | — | 4y ago | XML External Entity Reference in Eclipse Lyo | |||
| CVE-2021-41411 | unknown | — | — | 4y ago | XML External Entity Reference in drools | |||
| CVE-2021-33036 | unknown | — | — | 4y ago | User account escalation in Apache Hadoop | |||
| CVE-2021-40660 | unknown | — | — | 4y ago | Regular expression denial of service in Delight Nashorn Sandbox | |||
| CVE-2021-37404 | unknown | — | — | 4y ago | Apache Hadoop heap overflow before v2.10.2, v3.2.3, v3.3.2 | |||
| CVE-2021-3629 | unknown | — | — | 4y ago | Undertow Uncontrolled Resource Consumption | |||
| CVE-2021-3717 | unknown | — | — | 4y ago | Wildfly-Core user account mismanagement | |||
| CVE-2021-3597 | unknown | — | — | 4y ago | undertow Race Condition vulnerability | |||
| CVE-2021-33322 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP fails to invalidate password reset tokens after use | |||
| CVE-2021-20328 | unknown | — | — | 4y ago | Improper Certificate Validation in MongoDB | |||
| CVE-2021-33330 | unknown | — | — | 4y ago | Exposure of Resource to Wrong Sphere in Liferay Portal | |||
| CVE-2021-21662 | unknown | — | — | 4y ago | Missing permission check in Jenkins XebiaLabs XL Deploy Plugin allows enumerating credentials IDs | |||
| CVE-2021-29049 | unknown | — | — | 4y ago | Liferay DXP Vulnerable to Cross-Site Scripting (XSS) via the currentURL Parameter | |||
| CVE-2021-21700 | unknown | — | — | 4y ago | Stored XSS vulnerability in Jenkins Scriptler Plugin | |||
| CVE-2021-43576 | unknown | — | — | 4y ago | XXE vulnerability in Jenkins pom2config Plugin | |||
| CVE-2021-43577 | unknown | — | — | 4y ago | XXE vulnerability in Jenkins OWASP Dependency-Check Plugin | |||
| CVE-2021-43578 | unknown | — | — | 4y ago | Agent-to-controller security bypass in Jenkins Squash TM Publisher (Squash4Jenkins) Plugin allows writing arbitrary files | |||
| CVE-2021-21701 | unknown | — | — | 4y ago | XXE vulnerability in Jenkins Performance Plugin | |||
| CVE-2021-21699 | unknown | — | — | 4y ago | Stored XSS vulnerability in Jenkins Active Choices Plugin | |||
| CVE-2021-21698 | unknown | — | — | 4y ago | Path traversal vulnerability in Jenkins Subversion Plugin allows reading arbitrary files | |||
| CVE-2021-22096 | unknown | — | — | 4y ago | Improper Output Neutralization for Logs in Spring Framework | |||
| CVE-2021-22097 | unknown | — | — | 4y ago | Deserialization of Untrusted Data in Spring AMQP | |||
| CVE-2021-22047 | unknown | — | — | 4y ago | Exposure of Resource to Wrong Sphere in Spring Data REST | |||
| CVE-2021-22044 | unknown | — | — | 4y ago | Exposure of Resource to Wrong Sphere in Spring Cloud OpenFeign | |||
| CVE-2021-2471 | unknown | — | — | 4y ago | Incorrect Authorization in MySQL Connector Java | |||
| CVE-2021-3869 | unknown | — | — | 4y ago | Improper Restriction of XML External Entity Reference in Stanford CoreNLP | |||
| CVE-2021-3878 | unknown | — | — | 4y ago | Improper Restriction of XML External Entity Reference in Stanford CoreNLP | |||
| CVE-2021-21684 | unknown | — | — | 4y ago | Stored XSS vulnerability in Jenkins Git Plugin | |||
| CVE-2021-40824 | unknown | — | — | 4y ago | Logic error in Matrix SDK for Android | |||
| CVE-2021-40797 | unknown | — | — | 4y ago | An issue was discovered in the routes middleware in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. By making API requests involving nonexistent controllers, an authentic… | |||
| CVE-2021-21678 | unknown | — | — | 4y ago | Jenkins SAML Plugin allows bypassing CSRF protection for any URL | |||
| CVE-2021-21679 | unknown | — | — | 4y ago | Jenkins Azure AD Plugin allows bypassing CSRF protection for any URL | |||
| CVE-2021-21680 | unknown | — | — | 4y ago | XXE vulnerability in Jenkins Nested View Plugin | |||
| CVE-2021-21681 | unknown | — | — | 4y ago | Password stored in plain text by Jenkins Nomad Plugin | |||
| CVE-2021-21677 | unknown | — | — | 4y ago | RCE vulnerability in Jenkins Code Coverage API Plugin | |||
| CVE-2021-40085 | unknown | — | — | 4y ago | An issue was discovered in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. Authenticated attackers can reconfigure dnsmasq via a crafted extra_dhcp_opts value. | |||
| CVE-2021-38598 | unknown | — | — | 4y ago | OpenStack Neutron before 16.4.1, 17.x before 17.1.3, and 18.0.0 allows hardware address impersonation when the linuxbridge driver with ebtables-nft is used on a Netfilter-based platform. By sending c… | |||
| CVE-2021-28490 | unknown | — | — | 4y ago | Cross-Site Request Forgery in OWASP CSRFGuard | |||
| CVE-2021-38155 | unknown | — | — | 4y ago | OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). … | |||
| CVE-2021-3642 | unknown | — | — | 4y ago | Observable Discrepancy in Wildfly Elytron | |||
| CVE-2021-33335 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Has Company Administrator Accounts Vulnerable to Takeovers | |||
| CVE-2021-33336 | unknown | — | — | 4y ago | Liferay Portal Journal Module and Liferay DXP Vulnerable to Cross-Site Scripting (XSS) | |||
| CVE-2021-33338 | unknown | — | — | 4y ago | Liferay Portal Layout Module and Liferay DXP Exposes the Cross-Site Request Forgery (CSRF) Token in URLs |