CVEs from 2022
Total
5,243
critical
critical 92
high
high 1,233
medium
medium 961
low
low 24
% Critical
1.8%
% with KEV
2.5%
% with exploit
3.4%
Top vendors
- oracle 616
- netapp 438
- microsoft 165
- omron 109
- azul 82
- schneider-electric 33
- mitsubishielectric 32
- siemens 10
Top products
- jdk 116
- jre 109
- openjdk 100
- zulu 82
- graalvm 74
- cloud_secure_agent 35
- oncommand_insight 34
- cloud_insights_acquisition_unit 34
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-50564 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: s390/netiucv: Fix return type of netiucv_tx() With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), indirect call … | |||
| CVE-2022-50568 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_hid: fix f_hidg lifetime vs cdev The embedded struct cdev does not have its lifetime correctly tied to the enclosi… | |||
| CVE-2022-50570 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: platform/chrome: fix memory corruption in ioctl If "s_mem.bytes" is larger than the buffer size it leads to memory corruption. | |||
| CVE-2022-50571 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: btrfs: call __btrfs_remove_free_space_cache_locked on cache load failure Now that lockdep is staying enabled through our entire C… | |||
| CVE-2022-50573 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7915: fix mt7915_rate_txpower_get() resource leaks Coverity message: variable "buf" going out of scope leaks the st… | |||
| CVE-2022-50574 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: drm/omap: dss: Fix refcount leak bugs In dss_init_ports() and __dss_uninit_ports(), we should call of_node_put() for the referenc… | |||
| CVE-2022-50575 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: xen/privcmd: Fix a possible warning in privcmd_ioctl_mmap_resource() As 'kdata.num' is user-controlled data, if user tries to all… | |||
| CVE-2022-50576 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: serial: pch: Fix PCI device refcount leak in pch_request_dma() As comment of pci_get_slot() says, it returns a pci_device with it… | |||
| CVE-2022-50577 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: ima: Fix memory leak in __ima_inode_hash() Commit f3cc6b25dcc5 ("ima: always measure and audit files in policy") lets measurement… | |||
| CVE-2022-31114 | unknown | — | — | 4d ago | backpack/crud provides Create, Read, Update & Delete (CRUD) functions for Backpack, a collection of Laravel packages that help users build custom administration panels. Versions prior to 5.0.13, 4.1.… | |||
| CVE-2022-49957 | unknown | — | — | 1y ago | In the Linux kernel, the following vulnerability has been resolved: kcm: fix strp_init() order and cleanup strp_init() is called just a few lines above this csk->sk_user_data check, it also initial… | |||
| CVE-2022-41137 | unknown | — | — | 2y ago | Apache Hive: Deserialization of untrusted data when fetching partitions from the Metastore | |||
| CVE-2022-23553 | unknown | — | — | 2y ago | Alpine allows URL access filter bypass | |||
| CVE-2022-23554 | unknown | — | — | 2y ago | Alpine allows Authentication Filter bypass | |||
| CVE-2022-48833 | unknown | — | — | 2y ago | In the Linux kernel, the following vulnerability has been resolved: btrfs: skip reserved bytes warning on unmount after log cleanup failure After the recent changes made by commit c2e39305299f01 ("… | |||
| CVE-2022-29946 | unknown | — | — | 2y ago | NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 could allow a remote attacker to bypass security restrictions, caused by the failure to enforce negative user permissions in one sc… | |||
| CVE-2022-30636 | unknown | — | — | 2y ago | httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a di… | |||
| CVE-2022-47894 | unknown | — | — | 2y ago | Apache Zeppelin SAP: connecting to a malicious SAP server allowed it to perform XXE | |||
| CVE-2022-4963 | unknown | — | — | 2y ago | SQL injection in Folio Spring Module Core | |||
| CVE-2022-34321 | unknown | — | — | 2y ago | Apache Pulsar: Improper Authentication for Pulsar Proxy Statistics Endpoint | |||
| CVE-2022-45320 | unknown | — | — | 2y ago | Privilege escalation in Liferay Portal | |||
| CVE-2022-3328 | unknown | — | — | 2y ago | Race condition in snap-confine's must_mkdir_and_open_with_perms() | |||
| CVE-2022-45135 | unknown | — | — | 3y ago | Apache Cocoon SQL Injection vulnerability | |||
| CVE-2022-2232 | unknown | — | — | 3y ago | Keycloak vulnerable to LDAP Injection on UsernameForm Login | |||
| CVE-2022-41678 | unknown | — | — | 3y ago | Apache ActiveMQ Deserialization of Untrusted Data vulnerability | |||
| CVE-2022-46337 | unknown | — | — | 3y ago | Apache Derby: LDAP injection vulnerability in authenticator | |||
| CVE-2022-4244 | unknown | — | — | 3y ago | plexus-codehaus vulnerable to directory traversal | |||
| CVE-2022-4245 | unknown | — | — | 3y ago | codehaus-plexus vulnerable to XML injection | |||
| CVE-2022-28357 | unknown | — | — | 3y ago | NATS nats-server 2.2.0 through 2.7.4 allows directory traversal because of an unintended path to a management action from a management account. | |||
| CVE-2022-1415 | unknown | — | — | 3y ago | Drools Core Deserialization of Untrusted Data vulnerability | |||
| CVE-2022-44729 | unknown | — | — | 3y ago | Apache XML Graphics Batik Server-Side Request Forgery vulnerability | |||
| CVE-2022-46751 | unknown | — | — | 3y ago | Apache Ivy External Entity Reference vulnerability | |||
| CVE-2022-41401 | unknown | — | — | 3y ago | OpenRefine Server-Side Request Forgery vulnerability | |||
| CVE-2022-40896 | unknown | — | — | 3y ago | A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer. | |||
| CVE-2022-45855 | unknown | — | — | 3y ago | Apache Ambari Expression Language Injection vulnerability | |||
| CVE-2022-42009 | unknown | — | — | 3y ago | Apache Ambari Expression Language Injection vulnerability | |||
| CVE-2022-45048 | unknown | — | — | 3y ago | Apache Ranger code execution vulnerability in policy expressions | |||
| CVE-2022-46365 | unknown | — | — | 3y ago | Apache StreamPark Improper Input Validation vulnerability | |||
| CVE-2022-45802 | unknown | — | — | 3y ago | Apache StreamPark Path Traversal vulnerability | |||
| CVE-2022-24697 | unknown | — | — | 3y ago | Apache Kylin vulnerable to remote code execution | |||
| CVE-2022-4361 | unknown | — | — | 3y ago | Keycloak vulnerable to cross-site scripting when validating URI-schemes on SAML and OIDC | |||
| CVE-2022-46907 | unknown | — | — | 3y ago | Apache JSPWiki vulnerable to cross-site scripting on several plugins | |||
| CVE-2022-47937 | unknown | — | — | 3y ago | Apache Sling Commons JSON bundle vulnerable to Improper Input Validation | |||
| CVE-2022-45801 | unknown | — | — | 3y ago | Apache StreamPark LDAP Injection vulnerability | |||
| CVE-2022-45064 | unknown | — | — | 3y ago | Apache Sling Engine vulnerable to cross-site scripting (XSS) that can lead to privilege escalation | |||
| CVE-2022-41918 | unknown | — | — | 3y ago | OpenSearch has issue with fine-grained access control of indices backing data streams | |||
| CVE-2022-3277 | unknown | — | — | 3y ago | An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates re… | |||
| CVE-2022-1274 | unknown | — | — | 3y ago | HTML Injection in Keycloak Admin REST API | |||
| CVE-2022-4137 | unknown | — | — | 3y ago | Keycloak Cross-site Scripting on OpenID connect login service | |||
| CVE-2022-1438 | unknown | — | — | 3y ago | Keycloak vulnerable to Cross-site Scripting | |||
| CVE-2022-39228 | unknown | — | — | 3y ago | vantage6 vulnerable to Observable Response Discrepancy | |||
| CVE-2022-4492 | unknown | — | — | 3y ago | Undertow client not checking server identity presented by server certificate in https connections | |||
| CVE-2022-42735 | unknown | — | — | 3y ago | Privilege escalation in Apache ShenYu | |||
| CVE-2022-4903 | unknown | — | — | 3y ago | CodenameOne Pending Intent vulnerability | |||
| CVE-2022-24894 | unknown | — | — | 3y ago | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony HTTP cache system, acts as a reverse proxy: It caches entire responses (including headers… | |||
| CVE-2022-24895 | unknown | — | — | 3y ago | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the… | |||
| CVE-2022-44645 | unknown | — | — | 3y ago | Apache Linkis contains Deserialization of Untrusted Data | |||
| CVE-2022-44644 | unknown | — | — | 3y ago | Apache Linkis vulnerable to Exposure of Sensitive Information | |||
| CVE-2022-2712 | unknown | — | — | 3y ago | Path Traversal In Eclipse GlassFish | |||
| CVE-2022-47951 | unknown | — | — | 3y ago | An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0… | |||
| CVE-2022-25894 | unknown | — | — | 3y ago | Remote Code Execution in com.bstek.uflo:uflo-core | |||
| CVE-2022-47042 | unknown | — | — | 3y ago | Arbitrary file write in net.mingsoft:ms-mcms | |||
| CVE-2022-47105 | unknown | — | — | 3y ago | Jeecg-boot is vulnerable to SQL injection | |||
| CVE-2022-47950 | unknown | — | — | 3y ago | An issue was discovered in OpenStack Swift before 2.28.1, 2.29.x before 2.29.2, and 2.30.0. By supplying crafted XML files, an authenticated user may coerce the S3 API into returning arbitrary file c… | |||
| CVE-2022-25901 | unknown | — | — | 3y ago | cookiejar Regular Expression Denial of Service via Cookie.parse function | |||
| CVE-2022-41721 | unknown | — | — | 3y ago | A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from th… | |||
| CVE-2022-23532 | unknown | — | — | 3y ago | org.neo4j.procedure:apoc Path Traversal Vulnerability | |||
| CVE-2022-3143 | unknown | — | — | 3y ago | Wildfly-elytron possibly vulnerable to timing attacks via use of unsafe comparator | |||
| CVE-2022-24913 | unknown | — | — | 3y ago | Java Merge-sort Insecure Temporary File vulnerability | |||
| CVE-2022-46176 | unknown | — | — | 3y ago | Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could explo… | |||
| CVE-2022-46769 | unknown | — | — | 4y ago | Apache Sling App CMS vulnerable to reflected Cross-site Scripting | |||
| CVE-2022-45935 | unknown | — | — | 4y ago | Apache James server allows an attacker with local access to access private user data in transit | |||
| CVE-2022-45787 | unknown | — | — | 4y ago | Apache James MIME4J vulnerable to information disclosure to local users | |||
| CVE-2022-45875 | unknown | — | — | 4y ago | Apache DolphinScheduler vulnerable to Improper Input Validation | |||
| CVE-2022-38723 | unknown | — | — | 4y ago | Gravitee API Management contains Path Traversal | |||
| CVE-2022-45143 | unknown | — | — | 4y ago | The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from use… | |||
| CVE-2022-47551 | unknown | — | — | 4y ago | Apiman has potential permissions bypass | |||
| CVE-2022-46178 | unknown | — | — | 4y ago | Path Traversal In MeterSpere leads to upload file to any path | |||
| CVE-2022-40151 | unknown | — | — | 4y ago | XStream can cause a Denial of Service by injecting deeply nested objects raising a stack overflow | |||
| CVE-2022-43396 | unknown | — | — | 4y ago | Apache Kylin vulnerable to Command injection by Useless configuration | |||
| CVE-2022-44621 | unknown | — | — | 4y ago | Apache Kylin vulnerable to Command injection by Diagnosis Controller | |||
| CVE-2022-41966 | unknown | — | — | 4y ago | XStream can cause Denial of Service via stack overflow | |||
| CVE-2022-4772 | unknown | — | — | 4y ago | Widoco Path Traversal vulnerability | |||
| CVE-2022-4725 | unknown | — | — | 4y ago | AWS SDK is vulnerable to server-side request forgery (SSRF) | |||
| CVE-2022-36437 | unknown | — | — | 4y ago | Hazelcast connection caching | |||
| CVE-2022-45347 | unknown | — | — | 4y ago | Apache ShardingSphere-Proxy Incomplete Cleanup vulnerability | |||
| CVE-2022-4640 | unknown | — | — | 4y ago | Mingsoft MCMS Cross-site Scripting vulnerability | |||
| CVE-2022-40145 | unknown | — | — | 4y ago | Apache Karaf vulnerable to potential code injection | |||
| CVE-2022-46870 | unknown | — | — | 4y ago | Apache Zeppelin Cross-site Scripting vulnerability | |||
| CVE-2022-25940 | unknown | — | — | 4y ago | lite-server vulnerable to Denial of Service | |||
| CVE-2022-47500 | unknown | — | — | 4y ago | Apache Helix UI vulnerable to Open Redirect | |||
| CVE-2022-4565 | unknown | — | — | 4y ago | HuTool vulnerable to Uncontrolled Resource Consumption | |||
| CVE-2022-4521 | unknown | — | — | 4y ago | WSO2 carbon-registry vulnerable to Cross-site Scripting | |||
| CVE-2022-4520 | unknown | — | — | 4y ago | WSO2 carbon-registry Cross-site Scripting vulnerability | |||
| CVE-2022-32531 | unknown | — | — | 4y ago | Apache Bookkeeper vulnerable to Improper Certificate Validation | |||
| CVE-2022-4493 | unknown | — | — | 4y ago | SCIFIO vulnerable to Path Traversal | |||
| CVE-2022-34271 | unknown | — | — | 4y ago | Apache Atlas: zip path traversal in import functionality | |||
| CVE-2022-3782 | unknown | — | — | 4y ago | Keycloak vulnerable to path traversal via double URL encoding | |||
| CVE-2022-3916 | unknown | — | — | 4y ago | Keycloak vulnerable to session takeover with OIDC offline refreshtokens | |||
| CVE-2022-46364 | unknown | — | — | 4y ago | Apache CXF Server-Side Request Forgery vulnerability |