CVEs from 2021
Total
4,791
critical
critical 281
high
high 1,022
medium
medium 1,179
low
low 138
% Critical
5.9%
% with KEV
4.4%
% with exploit
5.3%
Top vendors
Top products
- simatic_wincc_runtime_advanced 28
- office 13
- primavera_gateway 10
- weblogic_server 9
- primavera_unifier 8
- modicon_m340_bmxp342020 8
- log4j 8
- mbed_tls 8
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-43814 | medium | — | 5.5 | — | multiple issues in rizin | |||
| CVE-2021-3472 | medium | — | 5.5 | — | A flaw was found in xorg-x11-server in versions before 1.20.11. An integer underflow can occur in xserver which can lead to a local privilege escalation. The highest threat from this vulnerability is… | |||
| CVE-2021-22568 | medium | — | 5.5 | — | multiple issues in dart | |||
| CVE-2021-37861 | medium | — | 5.5 | — | information disclosure in mattermost | |||
| CVE-2021-31876 | medium | — | 5.5 | — | multiple issues in bitcoin-daemon | |||
| CVE-2021-3195 | medium | — | 5.5 | — | multiple issues in bitcoin-daemon | |||
| CVE-2021-20272 | medium | — | 5.5 | — | A flaw was found in privoxy before 3.0.32. An assertion failure could be triggered with a crafted CGI request leading to server crash. | |||
| CVE-2021-44540 | medium | — | 5.5 | — | A vulnerability was found in Privoxy which was fixed in get_url_spec_param() by freeing memory of compiled pattern spec before bailing. | |||
| CVE-2021-44543 | medium | — | 5.5 | — | An XSS vulnerability was found in Privoxy which was fixed in cgi_error_no_template() by encode the template name when Privoxy is configured to servce the user-manual itself. | |||
| CVE-2021-32440 | medium | — | 5.5 | — | The Media_RewriteODFrame function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command. | |||
| CVE-2021-30155 | medium | — | 5.5 | — | An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. ContentModelChange does not check if a user has correct permissions to create and set the content model of… | |||
| CVE-2021-3024 | medium | — | 5.5 | — | information disclosure in vault | |||
| CVE-2021-38171 | medium | — | 5.5 | — | adts_decode_extradata in libavformat/adtsenc.c in FFmpeg 4.4 does not check the init_get_bits return value, which is a necessary step because the second argument to init_get_bits can be crafted. | |||
| CVE-2021-30199 | medium | — | 5.5 | — | In filters/reframe_latm.c in GPAC 1.0.1 there is a Null Pointer Dereference, when gf_filter_pck_get_data is called. The first arg pck may be null with a crafted mp4 file,which results in a crash. | |||
| CVE-2021-37746 | medium | — | 5.5 | — | textview_uri_security_check in textview.c in Claws Mail before 3.18.0, and Sylpheed through 3.7.0, does not have sufficient link checks before accepting a click. | |||
| CVE-2021-3578 | medium | — | 5.5 | — | A flaw was found in mbsync before v1.3.6 and v1.4.2, where an unchecked pointer cast allows a malicious or compromised server to write an arbitrary integer value past the end of a heap-allocated stru… | |||
| CVE-2021-21850 | medium | — | 5.5 | — | An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an int… | |||
| CVE-2021-20307 | medium | — | 5.5 | — | Format string vulnerability in panoFileOutputNamesCreate() in libpano13 2.9.20~rc2+dfsg-3 and earlier can lead to read and write arbitrary memory values. | |||
| CVE-2021-38295 | medium | — | 5.5 | — | privilege escalation in couchdb | |||
| CVE-2021-40530 | medium | — | 5.5 | — | The ElGamal implementation in Crypto++ through 8.5 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by t… | |||
| CVE-2021-22895 | medium | — | 5.5 | — | Nextcloud Desktop Client before 3.3.1 is vulnerable to improper certificate validation due to lack of SSL certificate verification when using the "Register with a Provider" flow. | |||
| CVE-2021-32277 | medium | — | 5.5 | — | An issue was discovered in faad2 through 2.10.0. A heap-buffer-overflow exists in the function sbr_qmf_analysis_32 located in sbr_qmf.c. It allows an attacker to cause code Execution. | |||
| CVE-2021-42379 | medium | — | 5.5 | — | A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function | |||
| CVE-2021-30500 | medium | — | 5.5 | — | Null pointer dereference was found in upx PackLinuxElf::canUnpack() in p_lx_elf.cpp,in version UPX 4.0.0. That allow attackers to execute arbitrary code and cause a denial of service via a crafted fi… | |||
| CVE-2021-30470 | medium | — | 5.5 | — | A flaw was found in PoDoFo 0.9.7. An uncontrolled recursive call among PdfTokenizer::ReadArray(), PdfTokenizer::GetNextVariant() and PdfTokenizer::ReadDataType() functions can lead to a stack overflo… | |||
| CVE-2021-32773 | medium | — | 5.5 | — | Racket is a general-purpose programming language and an ecosystem for language-oriented programming. In versions prior to 8.2, code evaluated using the Racket sandbox could cause system modules to in… | |||
| CVE-2021-31261 | medium | — | 5.5 | — | The gf_hinter_track_new function in GPAC 1.0.1 allows attackers to read memory via a crafted file in the MP4Box command. | |||
| CVE-2021-21854 | medium | — | 5.5 | — | Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause… | |||
| CVE-2021-35958 | medium | — | 5.5 | — | TensorFlow through 2.5.0 allows attackers to overwrite arbitrary files via a crafted archive when tf.keras.utils.get_file is used with extract=True. NOTE: the vendor's position is that tf.keras.utils… | |||
| CVE-2021-34339 | medium | — | 5.5 | — | multiple issues in ming | |||
| CVE-2021-34342 | medium | — | 5.5 | — | multiple issues in ming | |||
| CVE-2021-33480 | medium | — | 5.5 | — | An use-after-free vulnerability was discovered in gocr through 0.53-20200802 in context_correction() in pgm2asc.c. | |||
| CVE-2021-28300 | medium | — | 5.5 | — | NULL Pointer Dereference in the "isomedia/track.c" module's "MergeTrack()" function of GPAC v0.5.2 allows attackers to execute arbitrary code or cause a Denial-of-Service (DoS) by uploading a malicio… | |||
| CVE-2021-31258 | medium | — | 5.5 | — | The gf_isom_set_extraction_slc function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command. | |||
| CVE-2021-44975 | medium | — | 5.5 | — | radareorg radare2 5.5.2 is vulnerable to Buffer Overflow via /libr/core/anal_objc.c mach-o parser. | |||
| CVE-2021-34825 | medium | — | 5.5 | — | Quassel through 0.13.1, when --require-ssl is enabled, launches without SSL or TLS support if a usable X.509 certificate is not found on the local system. | |||
| CVE-2021-42326 | medium | — | 5.5 | — | Redmine before 4.1.5 and 4.2.x before 4.2.3 may disclose the names of users on activity views due to an insufficient access filter. | |||
| CVE-2021-34528 | medium | — | 5.5 | — | multiple issues in code | |||
| CVE-2021-35058 | medium | — | 5.5 | — | multiple issues in hyperkitty | |||
| CVE-2021-22258 | medium | — | 5.5 | — | multiple issues in gitlab | |||
| CVE-2021-37595 | medium | — | 5.5 | — | In FreeRDP before 2.4.0 on Windows, wf_cliprdr_server_file_contents_request in client/Windows/wf_cliprdr.c has missing input checks for a FILECONTENTS_RANGE File Contents Request PDU. | |||
| CVE-2021-36081 | medium | — | 5.5 | — | Tesseract OCR 5.0.0-alpha-20201231 has a one_ell_conflict use-after-free during a strpbrk call. | |||
| CVE-2021-22186 | medium | — | 5.5 | — | multiple issues in gitlab | |||
| CVE-2021-30027 | medium | — | 5.5 | — | md_analyze_line in md4c.c in md4c 0.4.7 allows attackers to trigger use of uninitialized memory, and cause a denial of service via a malformed Markdown document. | |||
| CVE-2021-28899 | medium | — | 5.5 | — | multiple issues in live-media | |||
| CVE-2021-30184 | medium | — | 5.5 | — | GNU Chess 6.2.7 allows attackers to execute arbitrary code via crafted PGN (Portable Game Notation) data. This is related to a buffer overflow in the use of a .tmp.epd temporary file in the cmd_pgnlo… | |||
| CVE-2021-41805 | medium | — | 5.5 | — | HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4 has Incorrect Access Control. An ACL token (with the default operator:write permissions) in one namespace can … | |||
| CVE-2021-23957 | medium | — | 5.5 | — | Navigations through the Android-specific `intent` URL scheme could have been misused to escape iframe sandbox. Note: This issue only affected Firefox for Android. Other operating systems are unaffect… | |||
| CVE-2021-30580 | medium | — | 5.5 | — | Insufficient policy enforcement in Android intents in Google Chrome prior to 92.0.4515.107 allowed an attacker who convinced a user to install a malicious application to obtain potentially sensitive … | |||
| CVE-2021-21858 | medium | — | 5.5 | — | Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause… | |||
| CVE-2021-33362 | medium | — | 5.5 | — | Stack buffer overflow in the hevc_parse_vps_extension function in MP4Box in GPAC 1.0.1 allows attackers to cause a denial of service or execute arbitrary code via a crafted file. | |||
| CVE-2021-30158 | medium | — | 5.5 | — | An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Blocked users are unable to use Special:ResetTokens. This has security relevance because a blocked user mi… | |||
| CVE-2021-41799 | medium | — | 5.5 | — | MediaWiki before 1.36.2 allows a denial of service (resource consumption because of lengthy query processing time). ApiQueryBacklinks (action=query&list=backlinks) can cause a full table scan. | |||
| CVE-2021-41798 | medium | — | 5.5 | — | MediaWiki before 1.36.2 allows XSS. Month related MediaWiki messages are not escaped before being used on the Special:Search results page. | |||
| CVE-2021-36773 | medium | — | 5.5 | — | uBlock Origin before 1.36.2 and nMatrix before 4.4.9 support an arbitrary depth of parameter nesting for strict blocking, which allows crafted web sites to cause a denial of service (unbounded recurs… | |||
| CVE-2021-32055 | medium | — | 5.5 | — | Mutt 1.11.0 through 2.0.x before 2.0.7 (and NeoMutt 2019-10-25 through 2021-05-04) has a $imap_qresync issue in which imap/util.c has an out-of-bounds read in situations where an IMAP sequence set en… | |||
| CVE-2021-28213 | medium | — | 5.5 | — | Example EDK2 encrypted private key in the IpSecDxe.efi present potential security risks. | |||
| CVE-2021-3623 | medium | — | 5.5 | — | A flaw was found in libtpms. The flaw can be triggered by specially-crafted TPM 2 command packets containing illegal values and may lead to an out-of-bounds access when the volatile state of the TPM … | |||
| CVE-2021-30471 | medium | — | 5.5 | — | A flaw was found in PoDoFo 0.9.7. An uncontrolled recursive call in PdfNamesTree::AddToDictionary function in src/podofo/doc/PdfNamesTree.cpp can lead to a stack overflow. | |||
| CVE-2021-3700 | medium | — | 5.5 | — | A use-after-free vulnerability was found in usbredir in versions prior to 0.11.0 in the usbredirparser_serialize() in usbredirparser/usbredirparser.c. This issue occurs when serializing large amounts… | |||
| CVE-2021-39537 | medium | — | 5.5 | — | An issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow. | |||
| CVE-2021-21842 | medium | — | 5.5 | — | An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an int… | |||
| CVE-2021-32278 | medium | — | 5.5 | — | An issue was discovered in faad2 through 2.10.0. A heap-buffer-overflow exists in the function lt_prediction located in lt_predict.c. It allows an attacker to cause code Execution. | |||
| CVE-2021-32276 | medium | — | 5.5 | — | An issue was discovered in faad2 through 2.10.0. A NULL pointer dereference exists in the function get_sample() located in output.c. It allows an attacker to cause Denial of Service. | |||
| CVE-2021-3185 | medium | — | 5.5 | — | A flaw was found in the gstreamer h264 component of gst-plugins-bad before v1.18.1 where when parsing a h264 header, an attacker could cause the stack to be smashed, memory corruption and possibly co… | |||
| CVE-2021-42373 | medium | — | 5.5 | — | A NULL pointer dereference in Busybox's man applet leads to denial of service when a section name is supplied but no page argument is given | |||
| CVE-2021-20274 | medium | — | 5.5 | — | A flaw was found in privoxy before 3.0.32. A crash may occur due a NULL-pointer dereference when the socks server misbehaves. | |||
| CVE-2021-40529 | medium | — | 5.5 | — | The ElGamal implementation in Botan through 2.18.1, as used in Thunderbird and other products, allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dan… | |||
| CVE-2021-22191 | medium | — | 5.5 | — | Improper URL handling in Wireshark 3.4.0 to 3.4.3 and 3.2.0 to 3.2.11 could allow remote code execution via via packet injection or crafted capture file. | |||
| CVE-2021-42383 | medium | — | 5.5 | — | A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function | |||
| CVE-2021-42385 | medium | — | 5.5 | — | A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function | |||
| CVE-2021-20229 | medium | — | 5.5 | — | A flaw was found in PostgreSQL in versions before 13.2. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat … | |||
| CVE-2021-42377 | medium | — | 5.5 | — | An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& strin… | |||
| CVE-2021-30475 | medium | — | 5.5 | — | arbitrary code execution in aom | |||
| CVE-2021-41054 | medium | — | 5.5 | — | tftpd_file.c in atftp through 0.7.4 has a buffer overflow because buffer-size handling does not properly consider the combination of data, OACK, and other options. | |||
| CVE-2021-3755 | medium | — | 5.5 | — | arbitrary command execution in rsync | |||
| CVE-2021-30474 | medium | — | 5.5 | — | multiple issues in aom | |||
| CVE-2021-37601 | medium | — | 5.5 | — | muc.lib.lua in Prosody 0.11.0 through 0.11.9 allows remote attackers to obtain sensitive information (list of admins, members, owners, and banned entities of a Multi-User chat room) in some common co… | |||
| CVE-2021-31615 | medium | — | 5.5 | — | multiple issues in linux | |||
| CVE-2021-32491 | medium | — | 5.5 | — | A flaw was found in djvulibre-3.5.28 and earlier. An integer overflow in function render() in tools/ddjvu via crafted djvu file may lead to application crash and other consequences. | |||
| CVE-2021-3624 | medium | — | 5.5 | — | There is an integer overflow vulnerability in dcraw. When the victim runs dcraw with a maliciously crafted X3F input image, arbitrary code may be executed in the victim's system. | |||
| CVE-2021-31924 | medium | — | 5.5 | — | Yubico pam-u2f before 1.1.1 has a logic issue that, depending on the pam-u2f configuration and the application used, could lead to a local PIN bypass. This issue does not allow user presence (touch) … | |||
| CVE-2021-21900 | medium | — | 5.5 | — | A code execution vulnerability exists in the dxfRW::processLType() functionality of LibreCad libdxfrw 2.2.0-rc2-19-ge02f3580. A specially-crafted .dxf file can lead to a use-after-free vulnerability.… | |||
| CVE-2021-42375 | medium | — | 5.5 | — | An incorrect handling of a special element in Busybox's ash applet leads to denial of service when processing a crafted shell command, due to the shell mistaking specific characters for reserved char… | |||
| CVE-2021-33896 | medium | — | 5.5 | — | Dino before 0.1.2 and 0.2.x before 0.2.1 allows Directory Traversal (only for creation of new files) via URI-encoded path separators. | |||
| CVE-2021-21899 | medium | — | 5.5 | — | A code execution vulnerability exists in the dwgCompressor::copyCompBytes21 functionality of LibreCad libdxfrw 2.2.0-rc2-19-ge02f3580. A specially-crafted .dwg file can lead to a heap buffer overflow… | |||
| CVE-2021-25218 | medium | — | 5.5 | — | In BIND 9.16.19, 9.17.16. Also, version 9.16.19-S1 of BIND Supported Preview Edition When a vulnerable version of named receives a query under the circumstances described above, the named process wil… | |||
| CVE-2021-46142 | medium | — | 5.5 | — | An issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriNormalizeSyntax. | |||
| CVE-2021-35940 | medium | — | 5.5 | — | An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x b… | |||
| CVE-2021-3681 | medium | — | 5.5 | — | information disclosure in ansible-core | |||
| CVE-2021-3506 | medium | — | 5.5 | — | An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain acce… | |||
| CVE-2021-35039 | medium | — | 5.5 | — | kernel/module.c in the Linux kernel before 5.12.14 mishandles Signature Verification, aka CID-0c18f29aae7c. Without CONFIG_MODULE_SIG, verification that a kernel module is signed, for loading via ini… | |||
| CVE-2021-3483 | medium | — | 5.5 | — | A flaw was found in the Nosy driver in the Linux kernel. This issue allows a device to be inserted twice into a doubly-linked list, leading to a use-after-free when one of these devices is removed. T… | |||
| CVE-2021-34556 | medium | — | 5.5 | — | In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because the protection mechanism… | |||
| CVE-2021-29649 | medium | — | 5.5 | — | An issue was discovered in the Linux kernel before 5.11.11. The user mode driver (UMD) has a copy_process() memory leak, related to a lack of cleanup steps in kernel/usermode_driver.c and kernel/bpf/… | |||
| CVE-2021-29264 | medium | — | 5.5 | — | An issue was discovered in the Linux kernel through 5.11.10. drivers/net/ethernet/freescale/gianfar.c in the Freescale Gianfar Ethernet driver allows attackers to cause a system crash because a negat… | |||
| CVE-2021-20292 | medium | — | 5.5 | — | There is a flaw reported in the Linux kernel in versions before 5.9 in drivers/gpu/drm/nouveau/nouveau_sgdma.c in nouveau_sgdma_create_ttm in Nouveau DRM subsystem. The issue results from the lack of… | |||
| CVE-2021-37231 | medium | — | 5.5 | — | A stack-buffer-overflow occurs in Atomicparsley 20210124.204813.840499f through APar_readX() in src/util.cpp while parsing a crafted mp4 file because of the missing boundary check. | |||
| CVE-2021-20285 | medium | — | 5.5 | — | A flaw was found in upx canPack in p_lx_elf.cpp in UPX 3.96. This flaw allows attackers to cause a denial of service (SEGV or buffer overflow and application crash) or possibly have unspecified other… | |||
| CVE-2021-21838 | medium | — | 5.5 | — | Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause… |