CVEs from 2019
Total
3,202
critical
critical 204
high
high 479
medium
medium 471
low
low 94
% Critical
6.4%
% with KEV
3.7%
% with exploit
7.9%
Top products
- u-boot 20
- active_iq_unified_manager 7
- jdk 5
- weblogic_server 5
- oncommand_workflow_automation 5
- oncommand_insight 4
- codeready_linux_builder_eus 4
- libxslt 4
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-1003033 | unknown | — | — | 4y ago | Jenkins Groovy Plugin sandbox bypass vulnerability | |||
| CVE-2019-10287 | unknown | — | — | 4y ago | Jenkins youtrack-plugin Plugin stored credentials in plain text | |||
| CVE-2019-10288 | unknown | — | — | 4y ago | Jenkins Jabber Server Plugin stores credentials in plain text | |||
| CVE-2019-10286 | unknown | — | — | 4y ago | Jenkins DeployHub Plugin stores credentials in plain text | |||
| CVE-2019-10284 | unknown | — | — | 4y ago | Jenkins Diawi Upload Plugin stores credentials in plain text | |||
| CVE-2019-10283 | unknown | — | — | 4y ago | Jenkins mabl Plugin stores credentials in plain text | |||
| CVE-2019-10293 | unknown | — | — | 4y ago | Missing permission check in Jenkins Kmap Plugin allow SSRF | |||
| CVE-2019-10279 | unknown | — | — | 4y ago | Missing permission check in Jenkins jenkins-reviewbot Plugin | |||
| CVE-2019-10285 | unknown | — | — | 4y ago | Jenkins Minio Storage Plugin stores credentials in plain text | |||
| CVE-2019-10291 | unknown | — | — | 4y ago | Jenkins Netsparker Enterprise Scan Plugin stored credentials in plain text | |||
| CVE-2019-10298 | unknown | — | — | 4y ago | Jenkins Koji Plugin stores credentials in plain text | |||
| CVE-2019-10299 | unknown | — | — | 4y ago | Jenkins CloudCoreo DeployTime Plugin stores credentials in plain text | |||
| CVE-2019-10297 | unknown | — | — | 4y ago | Jenkins Sametime Plugin stores credentials in plain text | |||
| CVE-2019-10290 | unknown | — | — | 4y ago | Missing permission check in Jenkins Netsparker Cloud Scan Plugin | |||
| CVE-2019-10294 | unknown | — | — | 4y ago | Jenkins Kmap Plugin stores credentials in plain text | |||
| CVE-2019-10282 | unknown | — | — | 4y ago | Jenkins Klaros-Testmanagement Plugin stores credentials in plain text | |||
| CVE-2019-10281 | unknown | — | — | 4y ago | Jenkins Relution Enterprise Appstore Publisher Plugin stores credentials in plain text | |||
| CVE-2019-10296 | unknown | — | — | 4y ago | Jenkins Serena SRA Deploy Plugin stores credentials in plain text | |||
| CVE-2019-10295 | unknown | — | — | 4y ago | Jenkins crittercism-dsym Plugin stores API key in plain text | |||
| CVE-2019-10277 | unknown | — | — | 4y ago | Jenkins StarTeam Plugin stores credentials in plain text | |||
| CVE-2019-10280 | unknown | — | — | 4y ago | Jenkins Assembla Auth Plugin stores credentials in plain text | |||
| CVE-2019-7611 | unknown | — | — | 4y ago | Improper Access Control in Elasticsearch | |||
| CVE-2019-5919 | unknown | — | — | 4y ago | Nablarch Incomplete Cryptography | |||
| CVE-2019-10876 | unknown | — | — | 4y ago | An issue was discovered in OpenStack Neutron 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By creating two security groups with separate/overlapping port ranges, an authenticated us… | |||
| CVE-2019-9735 | unknown | — | — | 4y ago | An issue was discovered in the iptables firewall module in OpenStack Neutron before 10.0.8, 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By setting a destination port in a security… | |||
| CVE-2019-1003004 | unknown | — | — | 4y ago | Improper Authorization in Jenkins Core | |||
| CVE-2019-1003003 | unknown | — | — | 4y ago | Improper Authorization in Jenkins Core | |||
| CVE-2019-0204 | unknown | — | — | 4y ago | Docker image code execution with Apache Mesos | |||
| CVE-2019-18887 | unknown | — | — | 4y ago | An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/h… | |||
| CVE-2019-14900 | unknown | — | — | 4y ago | SQL Injection in Hibernate ORM | |||
| CVE-2019-12416 | unknown | — | — | 4y ago | Injection in DeltaSpike | |||
| CVE-2019-10091 | unknown | — | — | 4y ago | Apache Geode SSL endpoint verification vulnerability | |||
| CVE-2019-11343 | unknown | — | — | 4y ago | Vulnerability in Torpedo Query | |||
| CVE-2019-17640 | unknown | — | — | 4y ago | Path Traversal in Eclipse Vert | |||
| CVE-2019-10797 | unknown | — | — | 4y ago | HTTP Response Splitting in WSO2 transport-http | |||
| CVE-2019-17566 | unknown | — | — | 4y ago | Server-side request forgery (SSRF) in Apache Batik | |||
| CVE-2019-17557 | unknown | — | — | 5y ago | Cross-site scripting in Apache Syncome EndUser | |||
| CVE-2019-10170 | unknown | — | — | 5y ago | Privilege Defined With Unsafe Actions in Keycloak | |||
| CVE-2019-10095 | unknown | — | — | 5y ago | Bash command injection in Apache Zeppelin | |||
| CVE-2019-25050 | unknown | — | — | 5y ago | netCDF in GDAL 2.4.2 through 3.0.4 has a stack-based buffer overflow in nc4_get_att (called from nc4_get_att_tc and nc_get_att_text) and in uffd_cleanup (called from netCDFDataset::~netCDFDataset and… | |||
| CVE-2019-13126 | unknown | — | — | 5y ago | An integer overflow in NATS Server before 2.0.2 allows a remote attacker to crash the server by sending a crafted request. If authentication is enabled, then the remote attacker must have first authe… | |||
| CVE-2019-25027 | unknown | — | — | 5y ago | Reflected cross-site scripting in default RouteNotFoundError view in Vaadin 10 and 11-13 | |||
| CVE-2019-25028 | unknown | — | — | 5y ago | Stored cross-site scripting in Grid component in Vaadin 7 and 8 | |||
| CVE-2019-17638 | unknown | — | — | 6y ago | Operation on a Resource after Expiration or Release in Jetty Server | |||
| CVE-2019-13990 | unknown | — | — | 6y ago | XML external entity injection in Terracotta Quartz Scheduler | |||
| CVE-2019-17572 | unknown | — | — | 6y ago | Directory traversal in Apache RocketMQ | |||
| CVE-2019-2692 | unknown | — | — | 6y ago | Privilege escalation in mysql-connector-jav | |||
| CVE-2019-17267 | unknown | — | — | 6y ago | Improper Input Validation in jackson-databind | |||
| CVE-2019-17570 | unknown | — | — | 6y ago | Insecure Deserialization in Apache XML-RPC | |||
| CVE-2019-17573 | unknown | — | — | 6y ago | Reflected Cross-Site Scripting in Apache CXF | |||
| CVE-2019-12423 | unknown | — | — | 6y ago | Private key leak in Apache CXF | |||
| CVE-2019-14893 | unknown | — | — | 6y ago | Polymorphic deserialization of malicious object in jackson-databind | |||
| CVE-2019-14892 | unknown | — | — | 6y ago | Polymorphic deserialization of malicious object in jackson-databind | |||
| CVE-2019-12399 | unknown | — | — | 6y ago | Exposure of Sensitive Information to an Unauthorized Actor in Apache Kafka | |||
| CVE-2019-14820 | unknown | — | — | 6y ago | Exposure of Sensitive Information to an Unauthorized Actor in Keycloak | |||
| CVE-2019-19135 | unknown | — | — | 6y ago | Insufficient Nonce Validation in Eclipse Milo Client | |||
| CVE-2019-17569 | unknown | — | — | 6y ago | Potential HTTP request smuggling in Apache Tomcat | |||
| CVE-2019-20444 | unknown | — | — | 6y ago | HTTP Request Smuggling in Netty | |||
| CVE-2019-20445 | unknown | — | — | 6y ago | HTTP Request Smuggling in Netty | |||
| CVE-2019-19703 | unknown | — | — | 6y ago | URL Redirection to Untrusted Site (Open Redirect) in Ktor | |||
| CVE-2019-10911 | unknown | — | — | 6y ago | In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would allow an attacker to authenticate as a privileged user on sites with… | |||
| CVE-2019-10912 | unknown | — | — | 6y ago | In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this coul… | |||
| CVE-2019-11325 | unknown | — | — | 6y ago | An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrar… | |||
| CVE-2019-10172 | unknown | — | — | 6y ago | Improper Restriction of XML External Entity Reference in jackson-mapper-asl | |||
| CVE-2019-17556 | unknown | — | — | 6y ago | Deserialization of Untrusted Data in Apache Olingo | |||
| CVE-2019-17555 | unknown | — | — | 6y ago | Improper input validation in Apache Olingo | |||
| CVE-2019-12422 | unknown | — | — | 6y ago | Improper input validation in Apache Shiro | |||
| CVE-2019-10782 | unknown | — | — | 6y ago | XML external entity (XXE) processing ('external-parameter-entities' feature was not fully disabled)) | |||
| CVE-2019-10770 | unknown | — | — | 6y ago | Default development error handler in Ratpack is vulnerable to HTML content injection (XSS) | |||
| CVE-2019-10158 | unknown | — | — | 6y ago | Improper implementation of the session fixation protection in Infinispan | |||
| CVE-2019-10070 | unknown | — | — | 7y ago | Stored XSS in Apache Atlas | |||
| CVE-2019-10219 | unknown | — | — | 7y ago | The SafeHtml annotation in Hibernate-Validator does not properly guard against XSS attacks | |||
| CVE-2019-12418 | unknown | — | — | 7y ago | Insufficiently Protected Credentials in Apache Tomcat | |||
| CVE-2019-17563 | unknown | — | — | 7y ago | In Apache Tomcat, when using FORM authentication there was a narrow window where an attacker could perform a session fixation attack | |||
| CVE-2019-12421 | unknown | — | — | 7y ago | Apache NiFi user log out issue | |||
| CVE-2019-10083 | unknown | — | — | 7y ago | Apache NiFi process group information disclosure | |||
| CVE-2019-10080 | unknown | — | — | 7y ago | Apache NiFi information disclosure by XXE | |||
| CVE-2019-17632 | unknown | — | — | 7y ago | Unescaped exception messages in error responses in Jetty | |||
| CVE-2019-10913 | unknown | — | — | 7y ago | In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted inpu… | |||
| CVE-2019-18886 | unknown | — | — | 7y ago | An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthor… | |||
| CVE-2019-18888 | unknown | — | — | 7y ago | An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIM… | |||
| CVE-2019-18889 | unknown | — | — | 7y ago | An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is rel… | |||
| CVE-2019-10212 | unknown | — | — | 7y ago | Potential to access user credentials from the log files when debug logging enabled | |||
| CVE-2019-10910 | unknown | — | — | 7y ago | In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code exec… | |||
| CVE-2019-0207 | unknown | — | — | 7y ago | Path traversal attack on Windows platforms | |||
| CVE-2019-10909 | unknown | — | — | 7y ago | In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. Th… | |||
| CVE-2019-12406 | unknown | — | — | 7y ago | Potential DOS attack due to unrestricted attachment count in messages | |||
| CVE-2019-12419 | unknown | — | — | 7y ago | Potential session hijack in Apache CXF | |||
| CVE-2019-10755 | unknown | — | — | 7y ago | Use of Cryptographically Weak Pseudo-Random Number Generator in org.pac4j:pac4j-saml | |||
| CVE-2019-11284 | unknown | — | — | 7y ago | Insufficiently Protected Credentials in Pivotal Reactor Netty | |||
| CVE-2019-17513 | unknown | — | — | 7y ago | io.ratpack:ratpack-core vulnerable to Improper Neutralization of Special Elements in Output ('Injection') | |||
| CVE-2019-17359 | unknown | — | — | 7y ago | Out-of-Memory Error in Bouncy Castle Crypto | |||
| CVE-2019-17195 | unknown | — | — | 7y ago | Improper Check for Unusual or Exceptional Conditions in Connect2id Nimbus JOSE+JWT | |||
| CVE-2019-17495 | unknown | — | — | 7y ago | Cross-site scripting in Swagger-UI | |||
| CVE-2019-17545 | unknown | — | — | 7y ago | GDAL through 3.0.1 has a poolDestroy double free in OGRExpatRealloc in ogr/ogr_expat.cpp when the 10MB threshold is exceeded. | |||
| CVE-2019-12404 | unknown | — | — | 7y ago | Cross-site scripting in Apache JSPWiki | |||
| CVE-2019-10089 | unknown | — | — | 7y ago | Cross-site scripting in Apache JSPWiki | |||
| CVE-2019-10087 | unknown | — | — | 7y ago | Cross-site scripting in Apache JSPWiki | |||
| CVE-2019-10090 | unknown | — | — | 7y ago | Cross-site scripting in Apache JSPWiki | |||
| CVE-2019-16869 | unknown | — | — | 7y ago | HTTP Request Smuggling in Netty |