CVEs from 2022
Total
5,243
critical
critical 92
high
high 1,233
medium
medium 961
low
low 24
% Critical
1.8%
% with KEV
2.5%
% with exploit
3.4%
Top vendors
- oracle 616
- netapp 438
- microsoft 165
- omron 109
- azul 82
- schneider-electric 33
- mitsubishielectric 32
- siemens 10
Top products
- jdk 116
- jre 109
- openjdk 100
- zulu 82
- graalvm 74
- cloud_secure_agent 35
- oncommand_insight 34
- cloud_insights_acquisition_unit 34
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-41404 | unknown | — | — | 4y ago | org.ini4j allows attackers to cause a Denial of Service (DoS) | |||
| CVE-2022-40664 | unknown | — | — | 4y ago | Apache Shiro Authentication Bypass vulnerability | |||
| CVE-2022-41414 | unknown | — | — | 4y ago | Liferay Portal Insecure Default Configuration in auth.login.prompt.enabled | |||
| CVE-2022-39237 | unknown | — | — | 4y ago | syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the `github.com/sylabs/sif/v2/pkg/integrity` package did not verify that the hash algorithm(s) us… | |||
| CVE-2022-41853 | unknown | — | — | 4y ago | HyperSQL DataBase vulnerable to remote code execution when processing untrusted input | |||
| CVE-2022-3171 | unknown | — | — | 4y ago | protobuf-java has a potential Denial of Service issue | |||
| CVE-2022-39248 | unknown | — | — | 4y ago | matrix-android-sdk2 vulnerable to Olm/Megolm protocol confusion | |||
| CVE-2022-39246 | unknown | — | — | 4y ago | matrix-android-sdk2 vulnerable to impersonation via forwarded Megolm sessions | |||
| CVE-2022-39243 | unknown | — | — | 4y ago | NuProcess vulnerable to command-line injection through insertion of NUL character(s) | |||
| CVE-2022-40929 | unknown | — | — | 4y ago | XXL-JOB contains a Command execution vulnerability in background tasks | |||
| CVE-2022-39261 | unknown | — | — | 4y ago | Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a us… | |||
| CVE-2022-3290 | unknown | — | — | 4y ago | rdiffweb's unlimited username field length can lead to DoS | |||
| CVE-2022-33681 | unknown | — | — | 4y ago | Apache Pulsar Java Client vulnerable to Improper Certificate Validation | |||
| CVE-2022-33683 | unknown | — | — | 4y ago | Apache Pulsar Brokers and Proxies vulnerable to Improper Certificate Validation | |||
| CVE-2022-33682 | unknown | — | — | 4y ago | Apache Pulsar Broker, Proxy, and WebSocket Proxy vulnerable to Improper Certificate Validation | |||
| CVE-2022-26112 | unknown | — | — | 4y ago | Apache Pinot has Groovy Function support enabled by default | |||
| CVE-2022-36944 | unknown | — | — | 4y ago | Scala subject to file deletion, code execution due to Java deserialization chain with LazyList object deserialization | |||
| CVE-2022-24280 | unknown | — | — | 4y ago | Proxy component of Apache Pulsar subject to abuse as Denial of Service endpoint | |||
| CVE-2022-23464 | unknown | — | — | 4y ago | Nepxion Discovery vulnerable to potential Information Disclosure due to Server-Side Request Forgery | |||
| CVE-2022-23463 | unknown | — | — | 4y ago | Nepxion Discovery vulnerable to SpEL Injection leading to Remote Code Execution | |||
| CVE-2022-36025 | unknown | — | — | 4y ago | Besu VM vulnerable to gas allocation error in CALL operations | |||
| CVE-2022-2256 | unknown | — | — | 4y ago | Keycloak vulnerable to Stored Cross site Scripting (XSS) when loading default roles | |||
| CVE-2022-2668 | unknown | — | — | 4y ago | Keycloak SAML javascript protocol mapper: Uploading of scripts through admin console | |||
| CVE-2022-28978 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Vulnerable to XSS in the Site Module | |||
| CVE-2022-28977 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP HtmlUtil.escapeRedirect Can Be Circumvented | |||
| CVE-2022-40705 | unknown | — | — | 4y ago | Apache SOAP's RPCRouterServlet allows reading of arbitrary files over HTTP | |||
| CVE-2022-39975 | unknown | — | — | 4y ago | Liferay Portal Missing Authorization vulnerability | |||
| CVE-2022-38512 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Fails to Check Permissions in Translation Module | |||
| CVE-2022-28980 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Vulnerable to XSS via the filter_ Prefix | |||
| CVE-2022-28982 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Vulnerable to XSS via Tag Name | |||
| CVE-2022-28981 | unknown | — | — | 4y ago | Liferay Portal Path Traversal Vulnerability via the Hypermedia REST APIs Module | |||
| CVE-2022-28979 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Vulnerable to XSS in the Portal Search Module | |||
| CVE-2022-38648 | unknown | — | — | 4y ago | Apache Batik vulnerable to Server-Side Request Forgery | |||
| CVE-2022-40146 | unknown | — | — | 4y ago | Apache Batik vulnerable to Server-Side Request Forgery | |||
| CVE-2022-38398 | unknown | — | — | 4y ago | Apache Batik Server-Side Request Forgery | |||
| CVE-2022-41244 | unknown | — | — | 4y ago | Missing hostname validation in Jenkins View26 Test-Reporting Plugin | |||
| CVE-2022-41247 | unknown | — | — | 4y ago | Jenkins BigPanda Notifier Plugin stores BigPanda API key unencrypted | |||
| CVE-2022-41232 | unknown | — | — | 4y ago | Jenkins build-publisher plugin vulnerable to cross-site request forgery | |||
| CVE-2022-41237 | unknown | — | — | 4y ago | RCE vulnerability in Jenkins DotCi Plugin | |||
| CVE-2022-41230 | unknown | — | — | 4y ago | Missing permission check in Jenkins build-publisher Plugin | |||
| CVE-2022-41224 | unknown | — | — | 4y ago | Jenkins vulnerable to stored cross site scripting in the I:helpIcon component | |||
| CVE-2022-41233 | unknown | — | — | 4y ago | Jenkins Rundeck Plugin Missing Authorization vulnerability | |||
| CVE-2022-41234 | unknown | — | — | 4y ago | Missing webhook endpoint authorization in Jenkins Rundeck Plugin | |||
| CVE-2022-41246 | unknown | — | — | 4y ago | CSRF vulnerability and mM | |||
| CVE-2022-41242 | unknown | — | — | 4y ago | Jenkins extreme-feedback Plugin vulnerable to Missing Authorization | |||
| CVE-2022-41243 | unknown | — | — | 4y ago | Jenkins SmallTest Plugin missing hostname validation | |||
| CVE-2022-41240 | unknown | — | — | 4y ago | Stored XSS vulnerability in Jenkins Walti plugin | |||
| CVE-2022-41231 | unknown | — | — | 4y ago | Path traversal in Jenkins build-publisher Plugin | |||
| CVE-2022-41241 | unknown | — | — | 4y ago | Jenkins RQM Plugin vulnerable to Improper Restriction of XML External Entity Reference | |||
| CVE-2022-41236 | unknown | — | — | 4y ago | CSRF vulnerability in Jenkins Security Inspector plugin | |||
| CVE-2022-41228 | unknown | — | — | 4y ago | Jenkins NS-ND Integration Performance Publisher Plugin vulnerable to Missing Authorization | |||
| CVE-2022-41238 | unknown | — | — | 4y ago | Lack of authentication mechanism in Jenkins DotCi Plugin webhook | |||
| CVE-2022-41227 | unknown | — | — | 4y ago | Jenkins NS-ND Integration Performance Publisher Plugin vulnerable to Cross-Site Request Forgery | |||
| CVE-2022-41239 | unknown | — | — | 4y ago | Stored XSS vulnerability in Jenkins DotCi Plugin | |||
| CVE-2022-41225 | unknown | — | — | 4y ago | Jenkins Anchore Container Image Scanner Plugin vulnerable to cross site scripting | |||
| CVE-2022-41235 | unknown | — | — | 4y ago | Jenkins WildFly Deployer Plugin vulnerable to path traversal | |||
| CVE-2022-41245 | unknown | — | — | 4y ago | CSRF vulnerability in Jenkins Worksoft Execution Manager Plugin allows capturing credentials | |||
| CVE-2022-41229 | unknown | — | — | 4y ago | Jenkins NS-ND Integration Performance Publisher Plugin vulnerable to Cross-site Scripting | |||
| CVE-2022-41226 | unknown | — | — | 4y ago | Jenkins Compuware Common Configuration Plugin vulnerable to Improper Restriction of XML External Entity Reference | |||
| CVE-2022-41249 | unknown | — | — | 4y ago | Jenkins SCM HttpClient Plugin vulnerable to Cross-Site Request Forgery | |||
| CVE-2022-41250 | unknown | — | — | 4y ago | Missing permission check in Jenkins SCM HttpClient Plugin allow capturing credentials | |||
| CVE-2022-41253 | unknown | — | — | 4y ago | CSRF vulnerability in Jenkins CONS3RT Plugin allow capturing credentials | |||
| CVE-2022-41255 | unknown | — | — | 4y ago | API token stored in plain text by Jenkins CONS3RT Plugin | |||
| CVE-2022-41254 | unknown | — | — | 4y ago | Missing permission checks in Jenkins CONS3RT Plugin allow capturing credentials | |||
| CVE-2022-41251 | unknown | — | — | 4y ago | Jenkins Apprenda Plugin has Missing Authorization vulnerability | |||
| CVE-2022-41252 | unknown | — | — | 4y ago | Missing permission checks in Jenkins CONS3RT Plugin allow enumerating credentials IDs | |||
| CVE-2022-41248 | unknown | — | — | 4y ago | Jenkins BigPanda Notifier Plugin Missing Password Field Masking | |||
| CVE-2022-31679 | unknown | — | — | 4y ago | Spring Data REST can expose hidden entity attributes | |||
| CVE-2022-34917 | unknown | — | — | 4y ago | Apache Kafka vulnerability can lead to brokers hitting OutOfMemoryException, causing Denial of Service | |||
| CVE-2022-40955 | unknown | — | — | 4y ago | Apache InLong vulnerable to Deserialization of Untrusted Data | |||
| CVE-2022-31166 | unknown | — | — | 4y ago | XWiki.WebHome vulnerable to Improper Privilege Management in XWiki resolving groups | |||
| CVE-2022-31167 | unknown | — | — | 4y ago | XWiki Platform Security Parent POM vulnerable to overwriting of security rules of a page with a final page having the same reference | |||
| CVE-2022-25873 | unknown | — | — | 4y ago | Vuetify Cross-site Scripting vulnerability | |||
| CVE-2022-40150 | unknown | — | — | 4y ago | Jettison memory exhaustion | |||
| CVE-2022-40149 | unknown | — | — | 4y ago | Jettison parser crash by stackoverflow | |||
| CVE-2022-40152 | unknown | — | — | 4y ago | Denial of Service due to parser crash | |||
| CVE-2022-36095 | unknown | — | — | 4y ago | XWiki Cross-Site Request Forgery (CSRF) for actions on tags | |||
| CVE-2022-36109 | unknown | — | — | 4y ago | Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has di… | |||
| CVE-2022-36056 | unknown | — | — | 4y ago | Cosign is a project under the sigstore organization which aims to make signatures invisible infrastructure. In versions prior to 1.12.0 a number of vulnerabilities have been found in cosign verify-bl… | |||
| CVE-2022-36090 | unknown | — | — | 4y ago | XWiki Platform Improper Authorization check for inactive users | |||
| CVE-2022-36091 | unknown | — | — | 4y ago | XWiki Platform Web Templates vulnerable to Missing Authorization, Exposure of Private Personal Information to Unauthorized Actor | |||
| CVE-2022-36096 | unknown | — | — | 4y ago | XWiki Platform vulnerable to Cross-site Scripting in the deleted attachments list | |||
| CVE-2022-36097 | unknown | — | — | 4y ago | XWiki Platform Attachment UI vulnerable to cross-site scripting in the move attachment form | |||
| CVE-2022-36098 | unknown | — | — | 4y ago | XWiki Platform Mentions UI vulnerable to Cross-site Scripting | |||
| CVE-2022-36099 | unknown | — | — | 4y ago | XWiki Platform Wiki UI Main Wiki Eval Injection vulnerability | |||
| CVE-2022-36100 | unknown | — | — | 4y ago | XWiki Platform Applications Tag and XWiki Platform Tag UI vulnerable to Eval Injection | |||
| CVE-2022-36113 | unknown | — | — | 4y ago | Cargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code in the ~/.cargo folder on disk, making it available to the Rust projects it… | |||
| CVE-2022-36114 | unknown | — | — | 4y ago | Cargo is a package manager for the rust programming language. It was discovered that Cargo did not limit the amount of data extracted from compressed archives. An attacker could upload to an alternat… | |||
| CVE-2022-36092 | unknown | — | — | 4y ago | XWiki Platform Old Core vulnerable to Authentication Bypass Using the Login Action | |||
| CVE-2022-36093 | unknown | — | — | 4y ago | XWiki Platform Web Templates vulnerable to Unauthorized User Registration Through the Distribution Wizard | |||
| CVE-2022-36094 | unknown | — | — | 4y ago | XWiki Platform Web Parent POM vulnerable to XSS in the attachment history | |||
| CVE-2022-25897 | unknown | — | — | 4y ago | Eclipse Milo vulnerable to Resource Exhaustion (Denial of Service) | |||
| CVE-2022-37724 | unknown | — | — | 4y ago | Project Wonder WebObjects vulnerable to Arbitrary HTTP Header Injection and Cross-site Scripting | |||
| CVE-2022-1278 | unknown | — | — | 4y ago | WildFly vulnerable to Insecure Default Initialization of Resource | |||
| CVE-2022-40635 | unknown | — | — | 4y ago | CrafterCMS OS Command Injection vulnerability | |||
| CVE-2022-40634 | unknown | — | — | 4y ago | CrafterCMS Crafter Studio Improperly Controls Dynamically-Managed Code Resources | |||
| CVE-2022-37734 | unknown | — | — | 4y ago | graphql-java vulnerable to Denial of Service via GraphQL query that consumes CPU resources | |||
| CVE-2022-37767 | unknown | — | — | 4y ago | Pebble Templates protection mechanism bypass can lead to arbitrary code execution | |||
| CVE-2022-39135 | unknown | — | — | 4y ago | Apache Calcite before 1.32.0 vulnerable to potential XML External Entity (XXE) attack | |||
| CVE-2022-26049 | unknown | — | — | 4y ago | Goomph before 3.37.2 allows malicious zip file to write contents to arbitrary locations |