CVEs from 2022
Total
5,243
critical
critical 92
high
high 1,233
medium
medium 961
low
low 24
% Critical
1.8%
% with KEV
2.5%
% with exploit
3.4%
Top vendors
- oracle 616
- netapp 438
- microsoft 165
- omron 109
- azul 82
- schneider-electric 33
- mitsubishielectric 32
- siemens 10
Top products
- jdk 116
- jre 109
- openjdk 100
- zulu 82
- graalvm 74
- cloud_secure_agent 35
- oncommand_insight 34
- cloud_insights_acquisition_unit 34
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-45378 | unknown | — | — | 4y ago | Apache SOAP contains unauthenticated RPCRouterServlet | |||
| CVE-2022-41854 | unknown | — | — | 4y ago | Snakeyaml vulnerable to Stack overflow leading to denial of service | |||
| CVE-2022-3952 | unknown | — | — | 4y ago | ManyDesigns Portofino subject to creation of insecure temporary file | |||
| CVE-2022-36022 | unknown | — | — | 4y ago | Use of unclaimed s3 bucket in tests and examples | |||
| CVE-2022-42964 | unknown | — | — | 4y ago | An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the pymatgen PyPI package, when an attacker is able to supply arbitrary input to the GaussianInput.from_string method | |||
| CVE-2022-44244 | unknown | — | — | 4y ago | Lin CMS vulnerable to Improper Authentication | |||
| CVE-2022-45129 | unknown | — | — | 4y ago | Payara, when deployed to the root context, allows attackers to visit META-INF and WEB-INF | |||
| CVE-2022-39368 | unknown | — | — | 4y ago | Failing DTLS handshakes may cause throttling to block processing of records | |||
| CVE-2022-37866 | unknown | — | — | 4y ago | Apache Ivy vulnerable to path traversal | |||
| CVE-2022-37865 | unknown | — | — | 4y ago | Apache Ivy does not verify target path when extracting the archive | |||
| CVE-2022-39387 | unknown | — | — | 4y ago | XWiki OIDC Authenticator vulnerable to bypassing OpenID login by providing a custom provider | |||
| CVE-2022-32287 | unknown | — | — | 4y ago | Apache UIMA Path Traversal vulnerability | |||
| CVE-2022-43670 | unknown | — | — | 4y ago | Apache Sling App CMS vulnerable to Cross-site Scripting | |||
| CVE-2022-31777 | unknown | — | — | 4y ago | Apache Spark vulnerable to Log Injection | |||
| CVE-2022-34662 | unknown | — | — | 4y ago | Apache DolphinScheduler vulnerable to Path Traversal | |||
| CVE-2022-31690 | unknown | — | — | 4y ago | spring-security-oauth2-client vulnerable to Privilege Escalation | |||
| CVE-2022-31692 | unknown | — | — | 4y ago | Spring Security authorization rules can be bypassed via forward or include dispatcher types | |||
| CVE-2022-42252 | unknown | — | — | 4y ago | If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default f… | |||
| CVE-2022-26884 | unknown | — | — | 4y ago | Apache DolphinScheduler vulnerable to Path Traversal | |||
| CVE-2022-43766 | unknown | — | — | 4y ago | Apache IoTDB subject to ReDOS with Java 8 | |||
| CVE-2022-42468 | unknown | — | — | 4y ago | Apache Flume vulnerable to remote code execution via deserialization of unsafe providerURL | |||
| CVE-2022-39944 | unknown | — | — | 4y ago | Apache Linkis subject to Remote Code Execution via deserialization | |||
| CVE-2022-39327 | unknown | — | — | 4y ago | Azure CLI is the command-line interface for Microsoft Azure. In versions previous to 2.40.0, Azure CLI contains a vulnerability for potential code injection. Critical scenarios are where a hosting ma… | |||
| CVE-2022-42890 | unknown | — | — | 4y ago | Untrusted code execution in Apache XML Graphics Batik | |||
| CVE-2022-41704 | unknown | — | — | 4y ago | Apache XML Graphics Batik vulnerable to code execution via SVG. | |||
| CVE-2022-34870 | unknown | — | — | 4y ago | Apache Geode vulnerable to Cross-Site Scripting | |||
| CVE-2022-40084 | unknown | — | — | 4y ago | OpenCRX vulnerable to password enumeration via error messages in password reset | |||
| CVE-2022-39259 | unknown | — | — | 4y ago | Jadx-gui vulnerable to swing HTML Denial of Service (DoS) attack | |||
| CVE-2022-31684 | unknown | — | — | 4y ago | Invalid HTTP requests in Reactor Netty HTTP Server may reveal access tokens | |||
| CVE-2022-43424 | unknown | — | — | 4y ago | Agent-to-controller security bypass vulnerability in Jenkins Compuware Xpediter Code Coverage Plugin | |||
| CVE-2022-43432 | unknown | — | — | 4y ago | Content-Security-Policy protection for user content disabled by Jenkins XFramium Builder Plugin | |||
| CVE-2022-43407 | unknown | — | — | 4y ago | CSRF protection for any URL can be bypassed in Jenkins Pipeline: Input Step Plugin | |||
| CVE-2022-43428 | unknown | — | — | 4y ago | Agent-to-controller security bypass vulnerabilities in Jenkins Compuware Topaz for Total Test Plugin | |||
| CVE-2022-43429 | unknown | — | — | 4y ago | Jenkins Compuware Topaz for Total Test Plugin vulnerable to Protection Mechanism Failure | |||
| CVE-2022-43409 | unknown | — | — | 4y ago | Stored XSS vulnerability in Jenkins Pipeline: Supporting APIs Plugin | |||
| CVE-2022-43412 | unknown | — | — | 4y ago | Non-constant time webhook token comparison in Jenkins Generic Webhook Trigger Plugin | |||
| CVE-2022-43414 | unknown | — | — | 4y ago | Jenkins NUnit Plugin vulnerable to Protection Mechanism Failure | |||
| CVE-2022-43411 | unknown | — | — | 4y ago | Non-constant time webhook token comparison in Jenkins GitLab Plugin | |||
| CVE-2022-43423 | unknown | — | — | 4y ago | Agent-to-controller security bypass vulnerability in Jenkins BMC Compuware Source Code Download for Endevor, PDS, and ISPW Plugin | |||
| CVE-2022-43421 | unknown | — | — | 4y ago | Jenkins Tuleap Git Branch Source Plugin allows unauthenticated attackers to trigger Tuleap projects whose configured repo matches attacker-specified value | |||
| CVE-2022-43425 | unknown | — | — | 4y ago | Stored XSS vulnerability in Jenkins Custom Checkbox Parameter Plugin | |||
| CVE-2022-43431 | unknown | — | — | 4y ago | Jenkins Compuware Strobe Measurement Plugin Missing Authorization vulnerability | |||
| CVE-2022-43413 | unknown | — | — | 4y ago | Jenkins Job Import Plugin allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins | |||
| CVE-2022-43433 | unknown | — | — | 4y ago | Content-Security-Policy protection for user content disabled by Jenkins ScreenRecorder Plugin | |||
| CVE-2022-43403 | unknown | — | — | 4y ago | Jenkins Script Security Plugin sandbox bypass vulnerability | |||
| CVE-2022-43402 | unknown | — | — | 4y ago | Jenkins Pipeline: Groovy Plugin allows sandbox protection bypass and arbitrary code execution | |||
| CVE-2022-43406 | unknown | — | — | 4y ago | Sandbox bypass vulnerability in Jenkins Pipeline: Deprecated Groovy Libraries Plugin | |||
| CVE-2022-43405 | unknown | — | — | 4y ago | Sandbox bypass vulnerability in Jenkins Pipeline: Groovy Libraries Plugin and Pipeline: Deprecated Groovy Libraries Plugin | |||
| CVE-2022-43401 | unknown | — | — | 4y ago | Sandbox bypass vulnerabilities in Jenkins Script Security Plugin and in Pipeline: Groovy Plugin | |||
| CVE-2022-43404 | unknown | — | — | 4y ago | Sandbox bypass vulnerabilities in Jenkins Script Security Plugin and in Pipeline: Groovy Plugin | |||
| CVE-2022-43408 | unknown | — | — | 4y ago | Jenkins Pipeline: Stage View Plugin allows CSRF protection bypass of any target URL in Jenkins | |||
| CVE-2022-43422 | unknown | — | — | 4y ago | Agent-to-controller security bypass vulnerability in Jenkins Compuware Topaz Utilities Plugin | |||
| CVE-2022-43410 | unknown | — | — | 4y ago | Webhook endpoint discloses job names to unauthorized users in Jenkins Mercurial Plugin | |||
| CVE-2022-43435 | unknown | — | — | 4y ago | Content-Security-Policy protection for user content can be disabled in Jenkins 360 FireLine Plugin | |||
| CVE-2022-43434 | unknown | — | — | 4y ago | Content-Security-Policy protection for user content disabled by Jenkins NeuVector Vulnerability Scanner Plugin | |||
| CVE-2022-43427 | unknown | — | — | 4y ago | Jenkins Compuware Topaz for Total Test Plugin allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins | |||
| CVE-2022-43426 | unknown | — | — | 4y ago | AWS secrets displayed without masking by Jenkins S3 Explorer Plugin | |||
| CVE-2022-43418 | unknown | — | — | 4y ago | CSRF vulnerability in Jenkins Katalon Plugin allows capturing credentials | |||
| CVE-2022-43417 | unknown | — | — | 4y ago | Missing permission checks in Jenkins Katalon Plugin allow capturing credentials | |||
| CVE-2022-43420 | unknown | — | — | 4y ago | Stored XSS vulnerability in Jenkins Contrast Continuous Application Security Plugin | |||
| CVE-2022-43415 | unknown | — | — | 4y ago | XXE vulnerability in Jenkins REPO Plugin | |||
| CVE-2022-43416 | unknown | — | — | 4y ago | Jenkins Katalon Plugin vulnerable to Protection Mechanism Failure | |||
| CVE-2022-43419 | unknown | — | — | 4y ago | API keys stored in plain text by Jenkins Katalon Plugin | |||
| CVE-2022-43430 | unknown | — | — | 4y ago | XXE vulnerability in Jenkins Compuware Topaz for Total Test Plugin | |||
| CVE-2022-42113 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Vulnerable to XSS via the Document Library Module | |||
| CVE-2022-42112 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Vulnerable to XSS via the Portal Search Module | |||
| CVE-2022-42116 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Vulnerable to XSS in the CKEditor Integration with the Frontend Editor Module | |||
| CVE-2022-42117 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Vulnerable to XSS in the Frontend Taglib Module | |||
| CVE-2022-42114 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Vulnerable to XSS via the Role Module | |||
| CVE-2022-42115 | unknown | — | — | 4y ago | Liferay Portal Vulnerable to XSS in the Object Module | |||
| CVE-2022-39198 | unknown | — | — | 4y ago | Hessian Lite for Apache Dubbo deserialization vulnerability | |||
| CVE-2022-42467 | unknown | — | — | 4y ago | Apache Isis webconsole module may directly query the database in prototype mode | |||
| CVE-2022-42466 | unknown | — | — | 4y ago | Apache Isis Cross-site Scripting vulnerability | |||
| CVE-2022-39312 | unknown | — | — | 4y ago | MySQL JDBC deserialization vulnerability | |||
| CVE-2022-42969 | unknown | — | — | 4y ago | Withdrawn Advisory: ReDoS in py library when used with subversion | |||
| CVE-2022-41828 | unknown | — | — | 4y ago | com.amazon.redshift:redshift-jdbc42 vulnerable to remote command execution | |||
| CVE-2022-41404 | unknown | — | — | 4y ago | org.ini4j allows attackers to cause a Denial of Service (DoS) | |||
| CVE-2022-40664 | unknown | — | — | 4y ago | Apache Shiro Authentication Bypass vulnerability | |||
| CVE-2022-41414 | unknown | — | — | 4y ago | Liferay Portal Insecure Default Configuration in auth.login.prompt.enabled | |||
| CVE-2022-39237 | unknown | — | — | 4y ago | syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the `github.com/sylabs/sif/v2/pkg/integrity` package did not verify that the hash algorithm(s) us… | |||
| CVE-2022-41853 | unknown | — | — | 4y ago | HyperSQL DataBase vulnerable to remote code execution when processing untrusted input | |||
| CVE-2022-3171 | unknown | — | — | 4y ago | protobuf-java has a potential Denial of Service issue | |||
| CVE-2022-39248 | unknown | — | — | 4y ago | matrix-android-sdk2 vulnerable to Olm/Megolm protocol confusion | |||
| CVE-2022-39246 | unknown | — | — | 4y ago | matrix-android-sdk2 vulnerable to impersonation via forwarded Megolm sessions | |||
| CVE-2022-39243 | unknown | — | — | 4y ago | NuProcess vulnerable to command-line injection through insertion of NUL character(s) | |||
| CVE-2022-40929 | unknown | — | — | 4y ago | XXL-JOB contains a Command execution vulnerability in background tasks | |||
| CVE-2022-39261 | unknown | — | — | 4y ago | Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a us… | |||
| CVE-2022-3290 | unknown | — | — | 4y ago | rdiffweb's unlimited username field length can lead to DoS | |||
| CVE-2022-33683 | unknown | — | — | 4y ago | Apache Pulsar Brokers and Proxies vulnerable to Improper Certificate Validation | |||
| CVE-2022-33681 | unknown | — | — | 4y ago | Apache Pulsar Java Client vulnerable to Improper Certificate Validation | |||
| CVE-2022-33682 | unknown | — | — | 4y ago | Apache Pulsar Broker, Proxy, and WebSocket Proxy vulnerable to Improper Certificate Validation | |||
| CVE-2022-26112 | unknown | — | — | 4y ago | Apache Pinot has Groovy Function support enabled by default | |||
| CVE-2022-36944 | unknown | — | — | 4y ago | Scala subject to file deletion, code execution due to Java deserialization chain with LazyList object deserialization | |||
| CVE-2022-24280 | unknown | — | — | 4y ago | Proxy component of Apache Pulsar subject to abuse as Denial of Service endpoint | |||
| CVE-2022-23464 | unknown | — | — | 4y ago | Nepxion Discovery vulnerable to potential Information Disclosure due to Server-Side Request Forgery | |||
| CVE-2022-23463 | unknown | — | — | 4y ago | Nepxion Discovery vulnerable to SpEL Injection leading to Remote Code Execution | |||
| CVE-2022-36025 | unknown | — | — | 4y ago | Besu VM vulnerable to gas allocation error in CALL operations | |||
| CVE-2022-2256 | unknown | — | — | 4y ago | Keycloak vulnerable to Stored Cross site Scripting (XSS) when loading default roles | |||
| CVE-2022-2668 | unknown | — | — | 4y ago | Keycloak SAML javascript protocol mapper: Uploading of scripts through admin console | |||
| CVE-2022-28982 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Vulnerable to XSS via Tag Name |