CVEs from 2021
Total
4,786
critical
critical 281
high
high 1,022
medium
medium 1,179
low
low 138
% Critical
5.9%
% with KEV
4.5%
% with exploit
5.3%
Top vendors
Top products
- simatic_wincc_runtime_advanced 28
- office 13
- primavera_gateway 10
- weblogic_server 9
- primavera_unifier 8
- modicon_m340_bmxp342020 8
- log4j 8
- mbed_tls 8
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-35619 | unknown | — | — | — | ||||
| CVE-2021-39520 | unknown | — | — | — | An issue was discovered in libjpeg through 2020021. A NULL pointer dereference exists in the function BlockBitmapRequester::PushReconstructedData() located in blockbitmaprequester.cpp. It allows an a… | |||
| CVE-2021-3574 | unknown | — | — | — | A vulnerability was found in ImageMagick-7.0.11-5, where executing a crafted file with the convert command, ASAN detects memory leaks. | |||
| CVE-2021-0076 | unknown | — | — | — | ||||
| CVE-2021-47326 | unknown | — | — | — | ||||
| CVE-2021-42218 | unknown | — | — | — | OMPL v1.5.2 contains a memory leak in VFRRT.cpp | |||
| CVE-2021-32434 | unknown | — | — | — | abcm2ps v8.14.11 was discovered to contain an out-of-bounds read in the function calculate_beam at draw.c. | |||
| CVE-2021-3542 | unknown | — | — | — | ||||
| CVE-2021-32625 | unknown | — | — | — | Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. An integer overflow bug in Redis version 6.0 or newer, could be exploited using … | |||
| CVE-2021-42614 | unknown | — | — | — | A use after free in info_width_internal in bk_info.c in Halibut 1.2 allows an attacker to cause a segmentation fault or possibly have unspecified other impact via a crafted text document. | |||
| CVE-2021-46744 | unknown | — | — | — | ||||
| CVE-2021-46975 | unknown | — | — | — | ||||
| CVE-2021-45985 | unknown | — | — | — | In Lua 5.4.3, an erroneous finalizer called during a tail call leads to a heap-based buffer over-read. | |||
| CVE-2021-38094 | unknown | — | — | — | Integer Overflow vulnerability in function filter_sobel in libavfilter/vf_convolution.c in Ffmpeg 4.2.1, allows attackers to cause a Denial of Service or other unspecified impacts. | |||
| CVE-2021-36057 | unknown | — | — | — | XMP Toolkit SDK version 2020.1 (and earlier) is affected by a write-what-where condition vulnerability caused during the application's memory allocation process. This may cause the memory management … | |||
| CVE-2021-27345 | unknown | — | — | — | A null pointer dereference was discovered in ucompthread in stream.c in Irzip 0.631 which allows attackers to cause a denial of service (DOS) via a crafted compressed file. | |||
| CVE-2021-42387 | unknown | — | — | — | Heap out-of-bounds read in Clickhouse's LZ4 compression codec when parsing a malicious query. As part of the LZ4::decompressImpl() loop, a 16-bit unsigned user-supplied value ('offset') is read from … | |||
| CVE-2021-28707 | unknown | — | — | — | PoD operations on misaligned GFNs T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be starte… | |||
| CVE-2021-39361 | unknown | — | — | — | In GNOME evolution-rss through 0.3.96, network-soup.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: t… | |||
| CVE-2021-33586 | unknown | — | — | — | InspIRCd 3.8.0 through 3.9.x before 3.10.0 allows any user (able to connect to the server) to access recently deallocated memory, aka the "malformed PONG" issue. | |||
| CVE-2021-44216 | unknown | — | — | — | ||||
| CVE-2021-25316 | unknown | — | — | — | ||||
| CVE-2021-46239 | unknown | — | — | — | The binary MP4Box in GPAC v1.1.0 was discovered to contain an invalid free vulnerability via the function gf_free () at utils/alloc.c. This vulnerability can lead to a Denial of Service (DoS). | |||
| CVE-2021-46312 | unknown | — | — | — | An issue was discovered IW44EncodeCodec.cpp in djvulibre 3.5.28 in allows attackers to cause a denial of service via divide by zero. | |||
| CVE-2021-38562 | unknown | — | — | — | Best Practical Request Tracker (RT) 4.2 before 4.2.17, 4.4 before 4.4.5, and 5.0 before 5.0.2 allows sensitive information disclosure via a timing attack against lib/RT/REST2/Middleware/Auth.pm. | |||
| CVE-2021-32686 | unknown | — | — | — | PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP before version 2.11.1… | |||
| CVE-2021-42778 | unknown | — | — | — | A heap double free issue was found in Opensc before version 0.22.0 in sc_pkcs15_free_tokeninfo. | |||
| CVE-2021-21772 | unknown | — | — | — | A use-after-free vulnerability exists in the NMR::COpcPackageReader::releaseZIP() functionality of 3MF Consortium lib3mf 2.0.0. A specially crafted 3MF file can lead to code execution. An attacker ca… | |||
| CVE-2021-37706 | unknown | — | — | — | PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the in… | |||
| CVE-2021-45952 | unknown | — | — | — | ||||
| CVE-2021-4214 | unknown | — | — | — | A heap overflow flaw was found in libpngs' pngimage.c program. This flaw allows an attacker with local network access to pass a specially crafted PNG file to the pngimage utility, causing an applicat… | |||
| CVE-2021-3606 | unknown | — | — | — | OpenVPN before version 2.5.3 on Windows allows local users to load arbitrary dynamic loadable libraries via an OpenSSL configuration file if present, which allows the user to run arbitrary code with … | |||
| CVE-2021-34182 | unknown | — | — | — | An issue in ttyd v.1.6.3 allows attacker to execute arbitrary code via default configuration permissions. | |||
| CVE-2021-47208 | unknown | — | — | — | The Mojolicious module before 9.11 for Perl has a bug in format detection that can potentially be exploited for denial of service. | |||
| CVE-2021-37592 | unknown | — | — | — | Suricata before 5.0.8 and 6.x before 6.0.4 allows TCP evasion via a client with a crafted TCP/IP stack that can send a certain sequence of segments. | |||
| CVE-2021-46900 | unknown | — | — | — | Sympa before 6.2.62 relies on a cookie parameter for certain security objectives, but does not ensure that this parameter exists and has an unpredictable value. Specifically, the cookie parameter is … | |||
| CVE-2021-4456 | unknown | — | — | — | Net::CIDR versions before 0.24 for Perl mishandle leading zeros in IP CIDR addresses, which may have unspecified impact. The functions `addr2cidr` and `cidrlookup` may return leading zeros in a CIDR… | |||
| CVE-2021-45081 | unknown | — | — | — | ||||
| CVE-2021-43530 | unknown | — | — | — | A Universal XSS vulnerability was present in Firefox for Android resulting from improper sanitization when processing a URL scanned from a QR code. *This bug only affects Firefox for Android. Other o… | |||
| CVE-2021-40330 | unknown | — | — | — | git_connect_git in connect.c in Git before 2.30.1 allows a repository path to contain a newline character, which may result in unexpected cross-protocol requests, as demonstrated by the git://localho… | |||
| CVE-2021-44476 | unknown | — | — | — | A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to read local files on the server, including sensitive configuration fil… | |||
| CVE-2021-32421 | unknown | — | — | — | dpic 2021.01.01 has a Heap Use-After-Free in thedeletestringbox() function in dpic.y. | |||
| CVE-2021-46047 | unknown | — | — | — | A Pointer Dereference Vulnerability exists in GPAC 1.0.1 via the gf_hinter_finalize function. | |||
| CVE-2021-45111 | unknown | — | — | — | Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote authenticated users to trigger the creation of demonstration data, including user account… | |||
| CVE-2021-40566 | unknown | — | — | — | A Segmentation fault casued by heap use after free vulnerability exists in Gpac through 1.0.1 via the mpgviddmx_process function in reframe_mpgvid.c when using mp4box, which causes a denial of servic… | |||
| CVE-2021-45260 | unknown | — | — | — | A null pointer dereference vulnerability exists in gpac 1.1.0 in the lsr_read_id.part function, which causes a segmentation fault and application crash. | |||
| CVE-2021-3567 | unknown | — | — | — | A flaw was found in Caribou due to a regression of CVE-2020-25712 fix. An attacker could use this flaw to bypass screen-locking applications that leverage Caribou as an input mechanism. The highest t… | |||
| CVE-2021-40648 | unknown | — | — | — | In man2html 1.6g, a filename can be created to overwrite the previous size parameter of the next chunk and the fd, bk, fd_nextsize, bk_nextsize of the current chunk. The next chunk is then freed late… | |||
| CVE-2021-3888 | unknown | — | — | — | libmobi is vulnerable to Use of Out-of-range Pointer Offset | |||
| CVE-2021-25802 | unknown | — | — | — | A buffer overflow vulnerability in the AVI_ExtractSubtitle component of VideoLAN VLC Media Player 3.0.11 allows attackers to cause an out-of-bounds read via a crafted .avi file. | |||
| CVE-2021-4319 | unknown | — | — | — | Use after free in Blink in Google Chrome prior to 93.0.4577.82 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High) | |||
| CVE-2021-33450 | unknown | — | — | — | An issue was discovered in NASM version 2.16rc0. There are memory leaks in nasm_calloc() in nasmlib/alloc.c. | |||
| CVE-2021-4322 | unknown | — | — | — | Use after free in DevTools in Google Chrome prior to 91.0.4472.77 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (… | |||
| CVE-2021-37147 | unknown | — | — | — | Improper input validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.2 and 9.0.0 to 9.1.0. | |||
| CVE-2021-27737 | unknown | — | — | — | Apache Traffic Server 9.0.0 is vulnerable to a remote DOS attack on the experimental Slicer plugin. | |||
| CVE-2021-32565 | unknown | — | — | — | Invalid values in the Content-Length header sent to Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.… | |||
| CVE-2021-27577 | unknown | — | — | — | Incorrect handling of url fragment vulnerability of Apache Traffic Server allows an attacker to poison the cache. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.… | |||
| CVE-2021-35474 | unknown | — | — | — | Stack-based Buffer Overflow vulnerability in cachekey plugin of Apache Traffic Server. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1. | |||
| CVE-2021-32567 | unknown | — | — | — | Improper Input Validation vulnerability in HTTP/2 of Apache Traffic Server allows an attacker to DOS the server. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0… | |||
| CVE-2021-37150 | unknown | — | — | — | Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to request secure resources. This issue affects Apache Traffic Server 8.0.0 to 9.1.2. | |||
| CVE-2021-37149 | unknown | — | — | — | Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to smuggle requests. This issue affects Apache Traffic Server 8.0.0 to 8.1.2 and 9.0.0 to 9.1.0. | |||
| CVE-2021-38161 | unknown | — | — | — | Improper Authentication vulnerability in TLS origin verification of Apache Traffic Server allows for man in the middle attacks. This issue affects Apache Traffic Server 8.0.0 to 8.0.8. | |||
| CVE-2021-41585 | unknown | — | — | — | Improper Input Validation vulnerability in accepting socket connections in Apache Traffic Server allows an attacker to make the server stop accepting new connections. This issue affects Apache Traffi… | |||
| CVE-2021-44759 | unknown | — | — | — | Improper Authentication vulnerability in TLS origin validation of Apache Traffic Server allows an attacker to create a man in the middle attack. This issue affects Apache Traffic Server 8.0.0 to 8.1.… | |||
| CVE-2021-36779 | unknown | — | — | — | ||||
| CVE-2021-32000 | unknown | — | — | — | ||||
| CVE-2021-4186 | unknown | — | — | — | Crash in the Gryphon dissector in Wireshark 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file | |||
| CVE-2021-4190 | unknown | — | — | — | Large loop in the Kafka dissector in Wireshark 3.6.0 allows denial of service via packet injection or crafted capture file | |||
| CVE-2021-4182 | unknown | — | — | — | Crash in the RFC 7468 dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file | |||
| CVE-2021-4181 | unknown | — | — | — | Crash in the Sysdig Event dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file | |||
| CVE-2021-40818 | unknown | — | — | — | scheme/webauthn.c in Glewlwyd SSO server through 2.5.3 has a buffer overflow during FIDO2 signature validation in webauthn registration. | |||
| CVE-2021-46174 | unknown | — | — | — | Heap-based Buffer Overflow in function bfd_getl32 in Binutils objdump 3.37. | |||
| CVE-2021-45953 | unknown | — | — | — | ||||
| CVE-2021-33468 | unknown | — | — | — | An issue was discovered in yasm version 1.3.0. There is a use-after-free in error() in modules/preprocs/nasm/nasm-pp.c. | |||
| CVE-2021-47545 | unknown | — | — | — | ||||
| CVE-2021-33457 | unknown | — | — | — | An issue was discovered in yasm version 1.3.0. There is a NULL pointer dereference in expand_mmac_params() in modules/preprocs/nasm/nasm-pp.c. | |||
| CVE-2021-20248 | unknown | — | — | — | ||||
| CVE-2021-3816 | unknown | — | — | — | Cacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary HTML in the group_prefix field during the creation of a new group via "Copy" method at user_group_admin.ph… | |||
| CVE-2021-0166 | unknown | — | — | — | ||||
| CVE-2021-41241 | unknown | — | — | — | ||||
| CVE-2021-20200 | unknown | — | — | — | ||||
| CVE-2021-40656 | unknown | — | — | — | libsixel before 1.10 is vulnerable to Buffer Overflow in libsixel/src/quant.c:867. | |||
| CVE-2021-0183 | unknown | — | — | — | ||||
| CVE-2021-20240 | unknown | — | — | — | A flaw was found in gdk-pixbuf in versions before 2.42.0. An integer wraparound leading to an out of bounds write can occur when a crafted GIF image is loaded. An attacker may cause applications to c… | |||
| CVE-2021-44577 | unknown | — | — | — | ||||
| CVE-2021-44504 | unknown | — | — | — | An issue was discovered in FIS GT.M through V7.0-000 (related to the YottaDB code base). Using crafted input, an attacker can cause a size variable, stored as an signed int, to equal an extremely lar… | |||
| CVE-2021-42704 | unknown | — | — | — | Inkscape version 0.91 is vulnerable to an out-of-bounds write, which may allow an attacker to arbitrary execute code. | |||
| CVE-2021-46946 | unknown | — | — | — | ||||
| CVE-2021-25786 | unknown | — | — | — | An issue was discovered in QPDF version 10.0.4, allows remote attackers to execute arbitrary code via crafted .pdf file to Pl_ASCII85Decoder::write parameter in libqpdf. | |||
| CVE-2021-0127 | unknown | — | — | — | Insufficient control flow management in some Intel(R) Processors may allow an authenticated user to potentially enable a denial of service via local access. | |||
| CVE-2021-27020 | unknown | — | — | — | Puppet Enterprise presented a security risk by not sanitizing user input when doing a CSV export. | |||
| CVE-2021-22141 | unknown | — | — | — | ||||
| CVE-2021-45103 | unknown | — | — | — | An issue was discovered in HTCondor 9.0.x before 9.0.10 and 9.1.x before 9.5.1. An attacker can access files stored in S3 cloud storage that a user has asked HTCondor to transfer. | |||
| CVE-2021-25312 | unknown | — | — | — | HTCondor before 8.9.11 allows a user to submit a job as another user on the system, because of a flaw in the IDTOKENS authentication method. | |||
| CVE-2021-47154 | unknown | — | — | — | The Net::CIDR::Lite module before 0.22 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass a… | |||
| CVE-2021-28692 | unknown | — | — | — | inappropriate x86 IOMMU timeout detection / handling IOMMUs process commands issued to them in parallel with the operation of the CPU(s) issuing such commands. In the current implementation in Xen, a… | |||
| CVE-2021-28690 | unknown | — | — | — | x86: TSX Async Abort protections not restored after S3 This issue relates to the TSX Async Abort speculative security vulnerability. Please see https://xenbits.xen.org/xsa/advisory-305.html for detai… | |||
| CVE-2021-28699 | unknown | — | — | — | inadequate grant-v2 status frames array bounds check The v2 grant table interface separates grant attributes from grant status. That is, when operating in this mode, a guest has two tables. As a resu… | |||
| CVE-2021-26342 | unknown | — | — | — | ||||
| CVE-2021-28698 | unknown | — | — | — | long running loops in grant table handling In order to properly monitor resource use, Xen maintains information on the grant mappings a domain may create to map grants offered by other domains. In th… |