CVEs from 2017
Total
11,660
critical
critical 1,647
high
high 5,041
medium
medium 4,168
low
low 159
% Critical
14.1%
% with KEV
0.7%
% with exploit
9.8%
Top vendors
Top products
- imagemagick 1,426
- joomla\! 932
- kanboard 848
- ntp 762
- tomcat 676
- mahara 572
- postgresql 492
- asterisk 435
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-16911 | unknown | — | — | — | The vhci_hcd driver in the Linux Kernel before version 4.14.8 and 4.4.114 allows allows local attackers to disclose kernel memory addresses. Successful exploitation requires that a USB device is atta… | |||
| CVE-2017-16912 | unknown | — | — | — | The "get_pipe()" function (drivers/usb/usbip/stub_rx.c) in the Linux Kernel before version 4.14.8, 4.9.71, and 4.4.114 allows attackers to cause a denial of service (out-of-bounds read) via a special… | |||
| CVE-2017-16913 | unknown | — | — | — | The "stub_recv_cmd_submit()" function (drivers/usb/usbip/stub_rx.c) in the Linux Kernel before version 4.14.8, 4.9.71, and 4.4.114 when handling CMD_SUBMIT packets allows attackers to cause a denial … | |||
| CVE-2017-16914 | unknown | — | — | — | The "stub_send_ret_submit()" function (drivers/usb/usbip/stub_tx.c) in the Linux Kernel before version 4.14.8, 4.9.71, 4.1.49, and 4.4.107 allows attackers to cause a denial of service (NULL pointer … | |||
| CVE-2017-18360 | unknown | — | — | — | In change_port_settings in drivers/usb/serial/io_ti.c in the Linux kernel before 4.11.3, local users could cause a denial of service by division-by-zero in the serial device layer by trying to set ve… | |||
| CVE-2017-18379 | unknown | — | — | — | In the Linux kernel before 4.14, an out of boundary access happened in drivers/nvme/target/fc.c. | |||
| CVE-2017-18595 | unknown | — | — | — | An issue was discovered in the Linux kernel before 4.14.11. A double free may be caused by the function allocate_trace_buffer in the file kernel/trace/trace.c. | |||
| CVE-2017-18549 | unknown | — | — | — | An issue was discovered in drivers/scsi/aacraid/commctrl.c in the Linux kernel before 4.13. There is potential exposure of kernel stack memory because aac_send_raw_srb does not initialize the reply s… | |||
| CVE-2017-18550 | unknown | — | — | — | An issue was discovered in drivers/scsi/aacraid/commctrl.c in the Linux kernel before 4.13. There is potential exposure of kernel stack memory because aac_get_hba_info does not initialize the hbainfo… | |||
| CVE-2017-18552 | unknown | — | — | — | An issue was discovered in net/rds/af_rds.c in the Linux kernel before 4.11. There is an out of bounds write and read in the function rds_recv_track_latency. | |||
| CVE-2017-2618 | unknown | — | — | — | A flaw was found in the Linux kernel's handling of clearing SELinux attributes on /proc/pid/attr files before 4.9.10. An empty (null) write to this file can crash the system by causing the system to … | |||
| CVE-2017-18551 | unknown | — | — | — | An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux kernel before 4.14.15. There is an out of bounds write in the function i2c_smbus_xfer_emulated. | |||
| CVE-2017-2634 | unknown | — | — | — | It was found that the Linux kernel's Datagram Congestion Control Protocol (DCCP) implementation before 2.6.22.17 used the IPv4-only inet_sk_rebuild_header() function for both IPv4 and IPv6 DCCP conne… | |||
| CVE-2017-20189 | unknown | — | — | 2y ago | Clojure classes can be used to craft a serialized object that runs arbitrary code on deserialization | |||
| CVE-2017-20151 | unknown | — | — | 4y ago | iText RUPS XML External Entity vulnerability | |||
| CVE-2017-15683 | unknown | — | — | 4y ago | XML injection in Crafter CMS | |||
| CVE-2017-15680 | unknown | — | — | 4y ago | Missing Authorization in Crafter CMS | |||
| CVE-2017-15682 | unknown | — | — | 4y ago | Cross site scripting in Crafter CMS | |||
| CVE-2017-11365 | unknown | — | — | 4y ago | Certain Symfony products are affected by: Incorrect Access Control. This affects Symfony 2.7.30 and Symfony 2.8.23 and Symfony 3.2.10 and Symfony 3.3.3. The type of exploitation is: remote. The compo… | |||
| CVE-2017-12622 | unknown | — | — | 4y ago | Apache Geode gfsh authorization vulnerability | |||
| CVE-2017-9796 | unknown | — | — | 4y ago | Apache Geode OQL bind parameter vulnerability | |||
| CVE-2017-15717 | unknown | — | — | 4y ago | Cross-site Scripting in Apache Sling XSS Protection API | |||
| CVE-2017-3158 | unknown | — | — | 4y ago | Apache Guacamole Race Condition vulnerability | |||
| CVE-2017-1000397 | unknown | — | — | 4y ago | MitM on Jenkins Maven Plugin | |||
| CVE-2017-1000402 | unknown | — | — | 4y ago | Jenkins Swarm Plugin Client vulnerable to man-in-the-middle attacks | |||
| CVE-2017-1000404 | unknown | — | — | 4y ago | Jenkins Delivery Pipeline Plugin Cross-site Scripting vulnerability | |||
| CVE-2017-1000505 | unknown | — | — | 4y ago | Exposure of Sensitive Information to an Unauthorized Actor Jenkins Script Security Plugin | |||
| CVE-2017-1000389 | unknown | — | — | 4y ago | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins global-build-stats plugin | |||
| CVE-2017-15697 | unknown | — | — | 4y ago | Apache NiFi XSS issue in context path handling | |||
| CVE-2017-1000503 | unknown | — | — | 4y ago | Race Condition in Jenkins | |||
| CVE-2017-1000502 | unknown | — | — | 4y ago | Arbitrary shell command execution in Jenkins EC2 Plugin | |||
| CVE-2017-12632 | unknown | — | — | 4y ago | Apache NiFi host header poisoning issue | |||
| CVE-2017-15712 | unknown | — | — | 4y ago | Path Traversal in Apache Oozie | |||
| CVE-2017-15696 | unknown | — | — | 4y ago | Apache Geode configuration request authorization vulnerability | |||
| CVE-2017-15693 | unknown | — | — | 4y ago | Apache Geode unsafe deserialization of application objects | |||
| CVE-2017-15692 | unknown | — | — | 4y ago | Apache Geode unsafe deserialization in TcpServer | |||
| CVE-2017-1000425 | unknown | — | — | 4y ago | Liferay Portal XSS vulnerability via movie parameter in the /html/portal/flash.jsp page | |||
| CVE-2017-16790 | unknown | — | — | 4y ago | An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. When a form is submitted by the user, the request handler classes of the Form component merge POST … | |||
| CVE-2017-16652 | unknown | — | — | 4y ago | An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2.8.31, 3.2.x before 3.2.14, and 3.3.x before 3.3.13. DefaultAuthenticationSuccessHandler or DefaultAuthenticationFailureHandler t… | |||
| CVE-2017-16654 | unknown | — | — | 4y ago | An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The Intl component includes various bundle readers that are used to read resource bundles from the … | |||
| CVE-2017-15706 | unknown | — | — | 4y ago | As part of the fix for bug 61201, the documentation for Apache Tomcat 9.0.0.M22 to 9.0.1, 8.5.16 to 8.5.23, 8.0.45 to 8.0.47 and 7.0.79 to 7.0.82 included an updated description of the search algorit… | |||
| CVE-2017-1000399 | unknown | — | — | 4y ago | Exposure of Sensitive Information to an Unauthorized Actor in Jenkins | |||
| CVE-2017-1000504 | unknown | — | — | 4y ago | Cross-Site Request Forgery in Jenkins | |||
| CVE-2017-1000401 | unknown | — | — | 4y ago | Improper Input Validation in Jenkins | |||
| CVE-2017-1000396 | unknown | — | — | 4y ago | Improper Certificate Validation in Jenkins | |||
| CVE-2017-1000398 | unknown | — | — | 4y ago | Exposure of Sensitive Information to an Unauthorized Actor in Jenkins | |||
| CVE-2017-1000395 | unknown | — | — | 4y ago | Exposure of Sensitive Information to an Unauthorized Actor in Jenkins | |||
| CVE-2017-1000394 | unknown | — | — | 4y ago | Improper Input Validation in Jenkins | |||
| CVE-2017-1000393 | unknown | — | — | 4y ago | OS Command Injection in Jenkins | |||
| CVE-2017-1000392 | unknown | — | — | 4y ago | Improper Neutralization of Input During Web Page Generation in Jenkins | |||
| CVE-2017-1000391 | unknown | — | — | 4y ago | Improper Input Validation in Jenkins | |||
| CVE-2017-15089 | unknown | — | — | 4y ago | Deserialization of Untrusted Data in Infinispan | |||
| CVE-2017-1000386 | unknown | — | — | 4y ago | Cross-site Scripting in Jenkins Active Choices plugin | |||
| CVE-2017-15719 | unknown | — | — | 4y ago | Cross-site Scripting in wicket-jquery-ui | |||
| CVE-2017-15691 | unknown | — | — | 4y ago | Improper Restriction of XML External Entity Reference in Apache uimaj | |||
| CVE-2017-9795 | unknown | — | — | 4y ago | Apache Geode OQL method invocation vulnerability | |||
| CVE-2017-1000190 | unknown | — | — | 4y ago | SimpleXML has XML External Entity (XXE) vulnerability | |||
| CVE-2017-18191 | unknown | — | — | 4y ago | An issue was discovered in OpenStack Nova 15.x through 15.1.0 and 16.x through 16.1.1. By detaching and reattaching an encrypted volume, an attacker may access the underlying raw volume and corrupt t… | |||
| CVE-2017-16653 | unknown | — | — | 4y ago | An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The current implementation of CSRF protection in Symfony (Version >=2) does not use different token… | |||
| CVE-2017-1000387 | unknown | — | — | 4y ago | Jenkins Build-Publisher plugin has Insufficiently Protected Credentials | |||
| CVE-2017-1000403 | unknown | — | — | 4y ago | Arbitrary code execution vulnerability in Jenkins Speaks! Plugin | |||
| CVE-2017-12165 | unknown | — | — | 4y ago | Undertow Request Smuggling vulnerability | |||
| CVE-2017-12196 | unknown | — | — | 4y ago | Incorrect Authorization in Undertow | |||
| CVE-2017-12197 | unknown | — | — | 4y ago | Improper Input Validation in libpam4j | |||
| CVE-2017-2602 | unknown | — | — | 4y ago | Incomplete List of Disallowed Inputs in Jenkins | |||
| CVE-2017-2598 | unknown | — | — | 4y ago | Inadequate Encryption Strength in Jenkins | |||
| CVE-2017-2594 | unknown | — | — | 4y ago | Path Traversal in io.hawt:project | |||
| CVE-2017-2600 | unknown | — | — | 4y ago | Exposure of Sensitive Information to an Unauthorized Actor in Jenkins | |||
| CVE-2017-2589 | unknown | — | — | 4y ago | Insecure cookie sharing in Hawtio | |||
| CVE-2017-2603 | unknown | — | — | 4y ago | Exposure of Sensitive Information to an Unauthorized Actor in Jenkins | |||
| CVE-2017-2609 | unknown | — | — | 4y ago | Exposure of Sensitive Information to an Unauthorized Actor in Jenkins | |||
| CVE-2017-2612 | unknown | — | — | 4y ago | Incorrect Permission Assignment for Critical Resource in Jenkins | |||
| CVE-2017-2610 | unknown | — | — | 4y ago | Improper Neutralization of Input During Web Page Generation in Jenkins | |||
| CVE-2017-2613 | unknown | — | — | 4y ago | Cross-Site Request Forgery in Jenkins | |||
| CVE-2017-2606 | unknown | — | — | 4y ago | Exposure of Sensitive Information to an Unauthorized Actor in Jenkins | |||
| CVE-2017-2608 | unknown | — | — | 4y ago | Deserialization of Untrusted Data in Jenkins | |||
| CVE-2017-2604 | unknown | — | — | 4y ago | Improper Authentication in Jenkins | |||
| CVE-2017-2607 | unknown | — | — | 4y ago | Improper Neutralization of Input During Web Page Generation in Jenkins | |||
| CVE-2017-2638 | unknown | — | — | 4y ago | Infinispan Rest API Does Not Enforce Auth Constraints | |||
| CVE-2017-2649 | unknown | — | — | 4y ago | Jenkins Active Directory Plugin did not verify certificate of AD server | |||
| CVE-2017-2648 | unknown | — | — | 4y ago | Jenkins SSH Build Agents Plugin did not verify host keys | |||
| CVE-2017-2651 | unknown | — | — | 4y ago | Exposure of Sensitive Information to an Unauthorized Actor in Jenkins-mailer-plugin | |||
| CVE-2017-2654 | unknown | — | — | 4y ago | Emails were sent to addresses not associated with actual users of Jenkins by Email Extension Plugin | |||
| CVE-2017-2652 | unknown | — | — | 4y ago | Missing permission checks in Jenkins Distributed Fork Plugin | |||
| CVE-2017-2650 | unknown | — | — | 4y ago | Jenkins Pipeline Classpath Step plugin allowed Script Security sandbox bypass | |||
| CVE-2017-3202 | unknown | — | — | 4y ago | Deserialization of Untrusted Data in Flamingo amf-serializer | |||
| CVE-2017-3203 | unknown | — | — | 4y ago | Deserialization of Untrusted Data in Spring-flex | |||
| CVE-2017-7545 | unknown | — | — | 4y ago | XML External Entity Reference in jbpmmigration | |||
| CVE-2017-7559 | unknown | — | — | 4y ago | Undertow vulnerable to Request Smuggling | |||
| CVE-2017-3199 | unknown | — | — | 4y ago | GraniteDS Insecure Deserialization | |||
| CVE-2017-3200 | unknown | — | — | 4y ago | GraniteDS Insecure Deserialization | |||
| CVE-2017-12610 | unknown | — | — | 4y ago | Improper Authentication in Apache Kafka | |||
| CVE-2017-1000400 | unknown | — | — | 4y ago | Missing Authorization in Jenkins | |||
| CVE-2017-1000388 | unknown | — | — | 4y ago | Jenkins Dependency Graph Viewer plugin vulnerable to missing permission checks | |||
| CVE-2017-15695 | unknown | — | — | 4y ago | Apache Geode vulnerable to Incorrect Authorization | |||
| CVE-2017-1000390 | unknown | — | — | 4y ago | Jenkins Multijob plugin did not check permissions in the Resume Build action | |||
| CVE-2017-2611 | unknown | — | — | 4y ago | Incorrect Authorization in Jenkins Core | |||
| CVE-2017-2599 | unknown | — | — | 4y ago | Incorrect Authorization in Jenkins | |||
| CVE-2017-1000487 | unknown | — | — | 4y ago | OS Command Injection in Plexus-utils | |||
| CVE-2017-12174 | unknown | — | — | 4y ago | Uncontrolled Resource Consumption in Artemis and HornetQ |