CVEs from 2022
Total
5,243
critical
critical 92
high
high 1,233
medium
medium 961
low
low 24
% Critical
1.8%
% with KEV
2.5%
% with exploit
3.4%
Top vendors
- oracle 616
- netapp 438
- microsoft 165
- omron 109
- azul 82
- schneider-electric 33
- mitsubishielectric 32
- siemens 10
Top products
- jdk 116
- jre 109
- openjdk 100
- zulu 82
- graalvm 74
- cloud_secure_agent 35
- oncommand_insight 34
- cloud_insights_acquisition_unit 34
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-25647 | high | 7.5 | 7.5 | 4y ago | Deserialization of Untrusted Data in Gson | |||
| CVE-2022-21476 | high | 7.5 | 7.5 | 4y ago | RHSA-2022:1491: java-1.8.0-openjdk security update (Important) | |||
| CVE-2022-24763 | high | 7.5 | 7.5 | 4y ago | PJSIP is a free and open source multimedia communication library written in the C language. Versions 2.12 and prior contain a denial-of-service vulnerability that affects PJSIP users that consume PJS… | |||
| CVE-2022-0778 | high | 7.5 | 7.5 | 4y ago | RHSA-2022:5326: compat-openssl10 security update (Low) | |||
| CVE-2022-24464 | high | 7.5 | 7.5 | 4y ago | RHSA-2022:0830: .NET 5.0 security and bugfix update (Important) | |||
| CVE-2022-4991 | high | 7.4 | 7.4 | 5d ago | Tychon includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory that may be controllable by an unprivileged user on Windows. Tychon contains a privileged service that use… | |||
| CVE-2022-47630 | high | 7.4 | 7.4 | 3y ago | Trusted Firmware-A through 2.8 has an out-of-bounds read in the X.509 parser for parsing boot certificates. This affects downstream use of get_ext and auth_nvctr. Attackers might be able to trigger d… | |||
| CVE-2022-4988 | high | 7.3 | 7.3 | 26d ago | Alien::FreeImage versions through 1.001 for Perl contains several vulnerable libraries. Alien::FreeImage contains version 3.17.0 of the FreeImage library from 2017, which has known vulnerabilities s… | |||
| CVE-2022-35865 | high | 7.3 | 7.3 | 4y ago | This vulnerability allows remote attackers to execute arbitrary code on affected installations of BMC Track-It! 20.21.2.109. Authentication is not required to exploit this vulnerability. The specific… | |||
| CVE-2022-0354 | high | 7.3 | 7.3 | 4y ago | A vulnerability was reported in Lenovo System Update that could allow a local user with interactive system access the ability to execute code with elevated privileges only during the installation of … | |||
| CVE-2022-45083 | high | 7.2 | 7.2 | 2y ago | Deserialization of Untrusted Data vulnerability in ProfilePress Membership Team Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress.T… | |||
| CVE-2022-47599 | high | 7.2 | 7.2 | 3y ago | Deserialization of Untrusted Data vulnerability in File Manager by Bit Form Team File Manager – 100% Free & Open Source File Manager Plugin for WordPress | Bit File Manager.This issue affects File Ma… | |||
| CVE-2022-45078 | high | 7.2 | 7.2 | 3y ago | Improper Neutralization of Formula Elements in a CSV File vulnerability in Solwin Infotech User Blocker.This issue affects User Blocker: from n/a through 1.5.5. | |||
| CVE-2022-47605 | high | 7.2 | 7.2 | 3y ago | Auth. SQL Injection') vulnerability in Kunal Nagar Custom 404 Pro plugin <= 3.7.0 versions. | |||
| CVE-2022-34871 | high | 7.2 | 7.2 | 4y ago | This vulnerability allows remote attackers to escalate privileges on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the … | |||
| CVE-2022-27224 | high | 7.2 | 7.2 | 4y ago | An issue was discovered in Galleon NTS-6002-GPS 4.14.103-Galleon-NTS-6002.V12 4. An authenticated attacker can perform command injection as root via shell metacharacters within the Network Tools sect… | |||
| CVE-2022-26826 | high | 7.2 | 7.2 | 4y ago | Windows DNS Server Remote Code Execution Vulnerability | |||
| CVE-2022-48827 | high | 7.1 | 7.1 | 2y ago | In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix the behavior of READ near OFFSET_MAX Dan Aloni reports: > Due to commit 8cfb9015280d ("NFS: Always provide aligned buff… | |||
| CVE-2022-49961 | high | 7.1 | 7.1 | 3y ago | In the Linux kernel, the following vulnerability has been resolved: bpf: Do mark_chain_precision for ARG_CONST_ALLOC_SIZE_OR_ZERO Precision markers need to be propagated whenever we have an ARG_CON… | |||
| CVE-2022-3775 | high | 7.1 | 7.1 | 4y ago | Moderate: grub2 security update | |||
| CVE-2022-2347 | high | 7.1 | 7.1 | 4y ago | There exists an unchecked length field in UBoot. The U-Boot DFU implementation does not bound the length field in USB DFU download setup packets, and it does not verify that the transfer direction co… | |||
| CVE-2022-37398 | high | 7.1 | 7.1 | 4y ago | A stack-based buffer overflow vulnerability was found inside ADM when using WebDAV due to the lack of data size validation. An attacker can exploit this vulnerability to run arbitrary code. Affected … | |||
| CVE-2022-22977 | high | 7.1 | 7.1 | 4y ago | VMware Tools for Windows(12.0.0, 11.x.y and 10.x.y) contains an XML External Entity (XXE) vulnerability. A malicious actor with non-administrative local user privileges in the Windows guest OS, where… | |||
| CVE-2022-31614 | high | 7.0 | 7.0 | 4y ago | NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin) where it may double-free some resources. An attacker may exploit this vulnerability with other vulnerabilities t… | |||
| CVE-2022-45809 | low | 3.7 | 3.7 | 3y ago | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Ricard Torres Thumbs Rating.This issue affects Thumbs Rating: from n/a through 5.0.0. | |||
| CVE-2022-39399 | low | 3.7 | 3.7 | 4y ago | RHSA-2022:7012: java-11-openjdk security and bug fix update (Moderate) | |||
| CVE-2022-21624 | low | 3.7 | 3.7 | 4y ago | RHSA-2023:0128: java-1.8.0-ibm security update (Moderate) | |||
| CVE-2022-21619 | low | 3.7 | 3.7 | 4y ago | RHSA-2023:0128: java-1.8.0-ibm security update (Moderate) | |||
| CVE-2022-45819 | low | 3.5 | 3.5 | 2y ago | Missing Authorization vulnerability in Popup Maker Popup Maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Popup Maker: from n/a through 1.17.1. | |||
| CVE-2022-3358 | low | — | 3.5 | 4y ago | Low: openssl security and bug fix update | |||
| CVE-2022-24101 | low | 3.3 | 3.3 | 4y ago | Acrobat Reader DC versions 20.001.20085 (and earlier), 20.005.3031x (and earlier) and 17.012.30205 (and earlier) are affected by a use-after-free vulnerability that could lead to disclosure of sensit… | |||
| CVE-2022-27227 | low | — | 2.5 | — | In PowerDNS Authoritative Server before 4.4.3, 4.5.x before 4.5.4, and 4.6.x before 4.6.1 and PowerDNS Recursor before 4.4.8, 4.5.x before 4.5.8, and 4.6.x before 4.6.1, insufficient validation of an… | |||
| CVE-2022-29458 | low | — | 2.5 | 10mo ago | ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library. | |||
| CVE-2022-45063 | low | — | 2.5 | 1y ago | Low: xterm security update | |||
| CVE-2022-43939 | unknown | — | 2.5 | 1y ago | Hitachi Vantara Pentaho BA Server contains a use of non-canonical URL paths for authorization decisions vulnerability that enables an attacker to bypass authorization. | |||
| CVE-2022-43769 | unknown | — | 2.5 | 1y ago | Hitachi Vantara Pentaho BA Server contains a special element injection vulnerability that allows an attacker to inject Spring templates into properties files, allowing for arbitrary command execution. | |||
| CVE-2022-22948 | unknown | — | 2.5 | 2y ago | VMware vCenter Server contains an incorrect default file permissions vulnerability that allows a remote, privileged attacker to gain access to sensitive information. | |||
| CVE-2022-48554 | low | — | 2.5 | 2y ago | File before 5.43 has an stack-based buffer over-read in file_copystr in funcs.c. NOTE: "File" is the name of an Open Source project. | |||
| CVE-2022-29303 | unknown | — | 2.5 | 3y ago | SolarView Compact contains a command injection vulnerability due to improper validation of input values on the send test mail console of the product's web server. | |||
| CVE-2022-35252 | low | — | 2.5 | 3y ago | When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. … | |||
| CVE-2022-36227 | low | — | 2.5 | 3y ago | RHSA-2023:3018: libarchive security update (Low) | |||
| CVE-2022-1615 | low | — | 2.5 | 3y ago | RHSA-2023:2987: samba security, bug fix, and enhancement update (Low) | |||
| CVE-2022-43552 | low | — | 2.5 | 3y ago | A use after free vulnerability exists in curl <7.87.0. Curl can be asked to *tunnel* virtually all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operat… | |||
| CVE-2022-28805 | low | — | 2.5 | 3y ago | Low: lua security update | |||
| CVE-2022-41862 | low | — | 2.5 | 3y ago | RHSA-2023:7016: libpq security update (Low) | |||
| CVE-2022-28810 | unknown | — | 2.5 | 3y ago | Zoho ManageEngine ADSelfService Plus contains an unspecified vulnerability allowing for remote code execution when performing a password change or reset. | |||
| CVE-2022-35914 | unknown | — | 2.5 | 3y ago | Teclib GLPI contains a remote code execution vulnerability in the third-party library, htmlawed. | |||
| CVE-2022-47986 | unknown | — | 2.5 | 3y ago | IBM Aspera Faspex could allow a remote attacker to execute code on the system, caused by a YAML deserialization flaw. | |||
| CVE-2022-46169 | unknown | — | 2.5 | 3y ago | Cacti contains a command injection vulnerability that allows an unauthenticated user to execute code. | |||
| CVE-2022-24990 | unknown | — | 2.5 | 3y ago | TerraMaster OS contains a remote command execution vulnerability that allows an unauthenticated user to execute commands on the target endpoint. | |||
| CVE-2022-21587 | unknown | — | 2.5 | 3y ago | Oracle E-Business Suite contains an unspecified vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. | |||
| CVE-2022-47966 | unknown | — | 2.5 | 3y ago | Multiple Zoho ManageEngine products contain an unauthenticated remote code execution vulnerability due to the usage of an outdated third-party dependency, Apache Santuario. | |||
| CVE-2022-44877 | unknown | — | 2.5 | 3y ago | CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command injection vulnerability that allows remote attackers to execute commands via shell metacharacters in the login parameter. | |||
| CVE-2022-0897 | low | — | 2.5 | 4y ago | RHSA-2022:7472: virt:rhel and virt-devel:rhel security, bug fix, and enhancement update (Low) | |||
| CVE-2022-2990 | low | — | 2.5 | 4y ago | RHSA-2022:7822: container-tools:rhel8 security, bug fix, and enhancement update (Low) | |||
| CVE-2022-24736 | low | — | 2.5 | 4y ago | RHSA-2022:7541: redis:6 security, bug fix, and enhancement update (Low) | |||
| CVE-2022-24735 | low | — | 2.5 | 4y ago | RHSA-2022:7541: redis:6 security, bug fix, and enhancement update (Low) | |||
| CVE-2022-23645 | low | — | 2.5 | 4y ago | RHSA-2022:7472: virt:rhel and virt-devel:rhel security, bug fix, and enhancement update (Low) | |||
| CVE-2022-1122 | low | — | 2.5 | 4y ago | RHSA-2022:7645: openjpeg2 security update (Low) | |||
| CVE-2022-2211 | low | — | 2.5 | 4y ago | RHSA-2022:7472: virt:rhel and virt-devel:rhel security, bug fix, and enhancement update (Low) | |||
| CVE-2022-41352 | unknown | — | 2.5 | 4y ago | Synacor Zimbra Collaboration Suite (ZCS) allows an attacker to upload arbitrary files using cpio package to gain incorrect access to any other user accounts. | |||
| CVE-2022-40684 | unknown | — | 2.5 | 4y ago | Fortinet FortiOS, FortiProxy, and FortiSwitchManager contain an authentication bypass vulnerability that could allow an unauthenticated attacker to perform operations on the administrative interface … | |||
| CVE-2022-36804 | unknown | — | 2.5 | 4y ago | Multiple API endpoints of Atlassian Bitbucket Server and Data Center contain a command injection vulnerability where an attacker with access to a public Bitbucket repository, or with read permissions… | |||
| CVE-2022-41082 | unknown | — | 2.5 | 4y ago | Microsoft Exchange Server contains an unspecified vulnerability that allows for authenticated remote code execution. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41040 which … | |||
| CVE-2022-41040 | unknown | — | 2.5 | 4y ago | Microsoft Exchange Server allows for server-side request forgery. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41082 which allows for remote code execution. | |||
| CVE-2022-35405 | unknown | — | 2.5 | 4y ago | Zoho ManageEngine PAM360, Password Manager Pro, and Access Manager Plus contain an unspecified vulnerability that allows for remote code execution. | |||
| CVE-2022-24112 | unknown | — | 2.5 | 4y ago | Apache APISIX contains an authentication bypass vulnerability that allows for remote code execution. | |||
| CVE-2022-26352 | unknown | — | 2.5 | 4y ago | dotCMS ContentResource API contains an unrestricted upload of file with a dangerous type vulnerability that allows for directory traversal, in which the file is saved outside of the intended storage … | |||
| CVE-2022-22536 | unknown | — | 2.5 | 4y ago | SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server and SAP Web Dispatcher allow HTTP request smuggling. An unauthenticated attacker can pr… | |||
| CVE-2022-26923 | unknown | — | 2.5 | 4y ago | An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow for privilege escalati… | |||
| CVE-2022-37042 | unknown | — | 2.5 | 4y ago | Synacor Zimbra Collaboration Suite (ZCS) contains an authentication bypass vulnerability in MailboxImportServlet. This vulnerability was chained with CVE-2022-27925 which allows for unauthenticated r… | |||
| CVE-2022-27925 | unknown | — | 2.5 | 4y ago | Synacor Zimbra Collaboration Suite (ZCS) contains flaw in the mboximport functionality, allowing an authenticated attacker to upload arbitrary files to perform remote code execution. This vulnerabili… | |||
| CVE-2022-30333 | unknown | — | 2.5 | 4y ago | RARLAB UnRAR on Linux and UNIX contains a directory traversal vulnerability, allowing an attacker to write to files during an extract (unpack) operation. | |||
| CVE-2022-33891 | unknown | — | 2.5 | 4y ago | Apache Spark contains a command injection vulnerability via Spark User Interface (UI) when Access Control Lists (ACLs) are enabled. | |||
| CVE-2022-30190 | unknown | — | 2.5 | 4y ago | A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run code … | |||
| CVE-2022-26134 | unknown | — | 2.5 | 4y ago | Atlassian Confluence Server and Data Center contain a remote code execution vulnerability that allows for an unauthenticated attacker to perform remote code execution. | |||
| CVE-2022-30525 | unknown | — | 2.5 | 4y ago | A command injection vulnerability in the CGI program of some Zyxel firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device. | |||
| CVE-2022-1388 | unknown | — | 2.5 | 4y ago | F5 BIG-IP contains a missing authentication in critical function vulnerability which can allow for remote code execution, creation or deletion of files, or disabling services. | |||
| CVE-2022-29464 | unknown | — | 2.5 | 4y ago | Multiple WSO2 products allow for unrestricted file upload, resulting in remote code execution. | |||
| CVE-2022-26904 | unknown | — | 2.5 | 4y ago | Microsoft Windows User Profile Service contains an unspecified vulnerability that allows for privilege escalation. | |||
| CVE-2022-22960 | unknown | — | 2.5 | 4y ago | VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts. | |||
| CVE-2022-22954 | unknown | — | 2.5 | 4y ago | VMware Workspace ONE Access and Identity Manager allow for remote code execution due to server-side template injection. | |||
| CVE-2022-22963 | unknown | — | 2.5 | 4y ago | When using routing functionality in VMware Tanzu's Spring Cloud Function, it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code executio… | |||
| CVE-2022-22965 | unknown | — | 2.5 | 4y ago | Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. | |||
| CVE-2022-1040 | unknown | — | 2.5 | 4y ago | An authentication bypass vulnerability in User Portal and Webadmin of Sophos Firewall allows for remote code execution. | |||
| CVE-2022-0543 | unknown | — | 2.5 | 4y ago | Redis is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution. | |||
| CVE-2022-21999 | unknown | — | 2.5 | 4y ago | Microsoft Windows Print Spooler contains an unspecified vulnerability which can allow for privilege escalation. | |||
| CVE-2022-26318 | unknown | — | 2.5 | 4y ago | On WatchGuard Firebox and XTM appliances, an unauthenticated user can execute arbitrary code. | |||
| CVE-2022-22947 | unknown | — | 2.5 | 4y ago | Spring Cloud Gateway applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. | |||
| CVE-2022-20699 | unknown | — | 2.5 | 4y ago | A vulnerability in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code elevate privileges, execute arbitrary … | |||
| CVE-2022-21882 | unknown | — | 2.5 | 4y ago | Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation. | |||
| CVE-2022-20775 | unknown | — | 1.5 | 3mo ago | Cisco SD-WAN CLI contains a path traversal vulnerability that could allow an authenticated local attacker to gain elevated privileges via improper access controls on commands within the application C… | |||
| CVE-2022-37055 | unknown | — | 1.5 | 6mo ago | D-Link Routers contains a buffer overflow vulnerability that has a high impact on confidentiality, integrity, and availability. The impacted products could be end-of-life (EoL) and/or end-of-service … | |||
| CVE-2022-40799 | unknown | — | 1.5 | 10mo ago | D-Link DNR-322L contains a download of code without integrity check vulnerability that could allow an authenticated attacker to execute OS level commands on the device. The impacted products could be… | |||
| CVE-2022-23748 | unknown | — | 1.5 | 1y ago | Dante Discovery contains a process control vulnerability in mDNSResponder.exe that all allows for a DLL sideloading attack. A local attacker can leverage this vulnerability in the Dante Application L… | |||
| CVE-2022-23227 | unknown | — | 1.5 | 2y ago | NUUO NVRmini2 devices contain a missing authentication vulnerability that allows an unauthenticated attacker to upload an encrypted TAR archive, which can be abused to add arbitrary users. | |||
| CVE-2022-21445 | unknown | — | 1.5 | 2y ago | Oracle ADF Faces library, included with Oracle JDeveloper Distribution, contains a deserialization of untrusted data vulnerability leading to unauthenticated remote code execution. | |||
| CVE-2022-38028 | unknown | — | 1.5 | 2y ago | Microsoft Windows Print Spooler service contains a privilege escalation vulnerability. An attacker may modify a JavaScript constraints file and execute it with SYSTEM-level permissions. | |||
| CVE-2022-48618 | unknown | — | 1.5 | 2y ago | Apple iOS, iPadOS, macOS, tvOS, and watchOS contain a time-of-check/time-of-use (TOCTOU) memory corruption vulnerability that allows an attacker with read and write capabilities to bypass Pointer Aut… | |||
| CVE-2022-22071 | unknown | — | 1.5 | 3y ago | Multiple Qualcomm chipsets contain a use-after-free vulnerability when process shell memory is freed using IOCTL munmap call and process initialization is in progress. |