CVEs from 2019
Total
3,419
critical
critical 232
high
high 336
medium
medium 309
low
low 71
% Critical
6.8%
% with KEV
3.5%
% with exploit
3.5%
Top products
- u-boot 20
- active_iq_unified_manager 7
- jdk 5
- weblogic_server 5
- oncommand_workflow_automation 5
- codeready_linux_builder_eus 4
- oncommand_insight 4
- libxslt 4
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2019-2607 | high | — | 8.0 | 7y ago | Important: mysql:8.0 security update | |
| CVE-2019-2624 | high | — | 8.0 | 7y ago | Important: mysql:8.0 security update | |
| CVE-2019-2689 | high | — | 8.0 | 7y ago | Important: mysql:8.0 security update | |
| CVE-2019-2626 | high | — | 8.0 | 7y ago | Important: mysql:8.0 security update | |
| CVE-2019-2625 | high | — | 8.0 | 7y ago | Important: mysql:8.0 security update | |
| CVE-2019-2455 | high | — | 8.0 | 7y ago | Important: mysql:8.0 security update | |
| CVE-2019-2494 | high | — | 8.0 | 7y ago | Important: mysql:8.0 security update | |
| CVE-2019-2585 | high | — | 8.0 | 7y ago | Important: mysql:8.0 security update | |
| CVE-2019-2584 | high | — | 8.0 | 7y ago | Important: mysql:8.0 security update | |
| CVE-2019-2826 | high | — | 8.0 | 7y ago | Important: mysql:8.0 security update | |
| CVE-2019-2808 | high | — | 8.0 | 7y ago | Important: mysql:8.0 security update | |
| CVE-2019-2814 | high | — | 8.0 | 7y ago | Important: mysql:8.0 security update | |
| CVE-2019-2687 | high | — | 8.0 | 7y ago | Important: mysql:8.0 security update | |
| CVE-2019-2802 | high | — | 8.0 | 7y ago | Important: mysql:8.0 security update | |
| CVE-2019-2801 | high | — | 8.0 | 7y ago | Important: mysql:8.0 security update | |
| CVE-2019-2617 | high | — | 8.0 | 7y ago | Important: mysql:8.0 security update | |
| CVE-2019-2636 | high | — | 8.0 | 7y ago | Important: mysql:8.0 security update | |
| CVE-2019-2486 | high | — | 8.0 | 7y ago | Important: mysql:8.0 security update | |
| CVE-2019-2810 | high | — | 8.0 | 7y ago | Important: mysql:8.0 security update | |
| CVE-2019-2789 | high | — | 8.0 | 7y ago | Important: mysql:8.0 security update | |
| CVE-2019-2589 | high | — | 8.0 | 7y ago | Important: mysql:8.0 security update | |
| CVE-2019-2752 | high | — | 8.0 | 7y ago | Important: mysql:8.0 security update | |
| CVE-2019-2778 | high | — | 8.0 | 7y ago | Important: mysql:8.0 security update | |
| CVE-2019-2502 | high | — | 8.0 | 7y ago | Important: mysql:8.0 security update | |
| CVE-2019-12384 | high | — | 8.0 | 7y ago | Deserialization of Untrusted Data in FasterXML jackson-databind | |
| CVE-2019-12781 | high | — | 8.0 | 7y ago | An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT set… | |
| CVE-2019-9636 | high | — | 8.0 | 7y ago | Important: python27:2.7 security update | |
| CVE-2019-5736 | high | — | 8.0 | 7y ago | Important: container-tools:rhel8 security and bug fix update | |
| CVE-2019-10906 | high | — | 8.0 | 7y ago | In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape. | |
| CVE-2019-8324 | high | — | 8.0 | 7y ago | Important: ruby:2.5 security update | |
| CVE-2019-19378 | high | 7.8 | 7.8 | 7y ago | In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image can lead to slab-out-of-bounds write access in index_rbio_pages in fs/btrfs/raid56.c. | |
| CVE-2019-13106 | high | 7.8 | 7.8 | 7y ago | Das U-Boot versions 2016.09 through 2019.07-rc4 can memset() too much data while reading a crafted ext4 filesystem, which results in a stack buffer overflow and likely code execution. | |
| CVE-2019-13104 | high | 7.8 | 7.8 | 7y ago | In Das U-Boot versions 2016.11-rc1 through 2019.07-rc4, an underflow can cause memcpy() to overwrite a very large amount of data (including the whole stack) while reading a crafted ext4 filesystem. | |
| CVE-2019-18197 | high | 7.5 | 7.5 | 4y ago | In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds ch… | |
| CVE-2019-6852 | high | 7.5 | 7.5 | 7y ago | A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication mo… | |
| CVE-2019-13103 | high | 7.1 | 7.1 | 7y ago | A crafted self-referential DOS partition table will cause all Das U-Boot versions through 2019.07-rc4 to infinitely recurse, causing the stack to grow infinitely and eventually either crash or overwr… | |
| CVE-2019-8720 | medium | — | 7.0 | 4y ago | Moderate: GNOME security, bug fix, and enhancement update | |
| CVE-2019-6109 | medium | 6.8 | 6.8 | 7y ago | An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the… | |
| CVE-2019-16168 | medium | 6.5 | 6.5 | 5y ago | In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a "severe division by zero in the … | |
| CVE-2019-11135 | medium | 6.5 | 6.5 | 6y ago | TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. | |
| CVE-2019-6129 | medium | 6.5 | 6.5 | 8y ago | png_create_info_struct in png.c in libpng 1.6.36 has a memory leak, as demonstrated by pngcp. NOTE: a third party has stated "I don't think it is libpng's job to free this buffer. | |
| CVE-2019-25648 | medium | 6.2 | 6.2 | 2mo ago | MyVideoConverter Pro 3.14 contains a local buffer overflow vulnerability that allows attackers to crash the application by supplying an excessively long string to the registration code input field. A… | |
| CVE-2019-11840 | medium | 5.9 | 5.9 | 7y ago | An issue was discovered in the supplementary Go cryptography library, golang.org/x/crypto, before v0.0.0-20190320223903-b7391e95e576. A flaw was found in the amd64 implementation of the golang.org/x/… | |
| CVE-2019-11091 | medium | 5.6 | 5.6 | 7y ago | Microarchitectural Data Sampling Uncacheable Memory (MDSUM): Uncacheable memory on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable informati… | |
| CVE-2019-11499 | medium | — | 5.5 | — | In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login component crashes if AUTH PLAIN is attempted over a TLS secured channel with an unacceptable authentication message. | |
| CVE-2019-10179 | medium | — | 5.5 | — | Moderate: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update | |
| CVE-2019-6291 | medium | — | 5.5 | — | An issue was discovered in the function expr6 in eval.c in Netwide Assembler (NASM) through 2.14.02. There is a stack exhaustion problem caused by the expr6 function making recursive calls to itself … | |
| CVE-2019-7665 | medium | — | 5.5 | — | In elfutils 0.175, a heap-based buffer over-read was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf. A crafted ELF input can cause a segmentation fault leading to denial of s… | |
| CVE-2019-17006 | medium | — | 5.5 | — | In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length checks. In cases where the application calling the library did not perform a sanity check on the in… | |
| CVE-2019-17567 | medium | — | 5.5 | — | multiple issues in apache | |
| CVE-2019-12420 | medium | — | 5.5 | — | In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publ… | |
| CVE-2019-10218 | medium | — | 5.5 | — | A flaw was found in the samba client, all samba versions before samba 4.11.2, 4.10.10 and 4.9.15, where a malicious server can supply a pathname to the client with separators. This could allow the cl… | |
| CVE-2019-12210 | medium | — | 5.5 | — | In Yubico pam-u2f 1.0.7, when configured with debug and a custom debug log file is set using debug_file, that file descriptor is not closed when a new process is spawned. This leads to the file descr… | |
| CVE-2019-3807 | medium | — | 5.5 | — | An issue has been found in PowerDNS Recursor versions 4.1.x before 4.1.9 where records in the answer section of responses received from authoritative servers with the AA flag not set were not properl… | |
| CVE-2019-3806 | medium | — | 5.5 | — | An issue has been found in PowerDNS Recursor versions after 4.1.3 before 4.1.9 where Lua hooks are not properly applied to queries received over TCP in some specific combination of settings, possibly… | |
| CVE-2019-16927 | medium | — | 5.5 | — | Xpdf 4.01.01 has an out-of-bounds write in the vertProfile part of the TextPage::findGaps function in TextOutputDev.cc, a different vulnerability than CVE-2019-9877. | |
| CVE-2019-25034 | medium | — | 5.5 | — | Unbound before 1.9.5 allows an integer overflow in sldns_str2wire_dname_buf_origin, leading to an out-of-bounds write. NOTE: The vendor disputes that this is a vulnerability. Although the code may be… | |
| CVE-2019-6988 | medium | — | 5.5 | — | An issue was discovered in OpenJPEG 2.3.0. It allows remote attackers to cause a denial of service (attempted excessive memory allocation) in opj_calloc in openjp2/opj_malloc.c, when called from opj_… | |
| CVE-2019-9199 | medium | — | 5.5 | — | PoDoFo::Impose::PdfTranslator::setSource() in pdftranslator.cpp in PoDoFo 0.9.6 has a NULL pointer dereference that can (for example) be triggered by sending a crafted PDF file to the podofoimpose bi… | |
| CVE-2019-8396 | medium | — | 5.5 | — | A buffer overflow in H5O__layout_encode in H5Olayout.c in the HDF HDF5 through 1.10.4 library allows attackers to cause a denial of service via a crafted HDF5 file. This issue was triggered while rep… | |
| CVE-2019-6128 | medium | — | 5.5 | — | The TIFFFdOpen function in tif_unix.c in LibTIFF 4.0.10 has a memory leak, as demonstrated by pal2rgb. | |
| CVE-2019-6502 | medium | — | 5.5 | — | sc_context_create in ctx.c in libopensc in OpenSC 0.19.0 has a memory leak, as demonstrated by a call from eidenv. | |
| CVE-2019-6475 | medium | — | 5.5 | — | Mirror zones are a BIND feature allowing recursive servers to pre-cache zone data provided by other servers. A mirror zone is similar to a zone of type secondary, except that its data is subject to D… | |
| CVE-2019-20637 | medium | — | 5.5 | — | An issue was discovered in Varnish Cache before 6.0.5 LTS, 6.1.x and 6.2.x before 6.2.2, and 6.3.x before 6.3.1. It does not clear a pointer between the handling of one client request and the next re… | |
| CVE-2019-15718 | medium | — | 5.5 | — | access restriction bypass in systemd | |
| CVE-2019-7664 | medium | — | 5.5 | — | In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in libelf/note_xlate.h because of an incorrect overflow check. Crafted elf input causes a segmentation fault, leading to denial… | |
| CVE-2019-18281 | medium | — | 5.5 | — | An out-of-bounds memory access in the generateDirectionalRuns() function in qtextengine.cpp in Qt qtbase 5.11.x and 5.12.x before 5.12.5 allows attackers to cause a denial of service by crashing an a… | |
| CVE-2019-19721 | medium | — | 5.5 | — | An off-by-one error in the DecodeBlock function in codec/sdl_image.c in VideoLAN VLC media player before 3.0.9 allows remote attackers to cause a denial of service (memory corruption) via a crafted i… | |
| CVE-2019-20388 | medium | — | 5.5 | — | xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak. | |
| CVE-2019-19918 | medium | — | 5.5 | — | arbitrary code execution in lout | |
| CVE-2019-19480 | medium | — | 5.5 | — | An issue was discovered in OpenSC through 0.19.0 and 0.20.x through 0.20.0-rc3. libopensc/pkcs15-prkey.c has an incorrect free operation in sc_pkcs15_decode_prkdf_entry. | |
| CVE-2019-17185 | medium | — | 5.5 | — | Moderate: freeradius:3.0 security and bug fix update | |
| CVE-2019-5481 | medium | — | 5.5 | — | Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3. | |
| CVE-2019-3460 | medium | — | 5.5 | — | A heap data infoleak in multiple locations including L2CAP_PARSE_CONF_RSP was found in the Linux kernel before 5.1-rc1. | |
| CVE-2019-3459 | medium | — | 5.5 | — | A heap address information leak while using L2CAP_GET_CONF_OPT was discovered in the Linux kernel before 5.1-rc1. | |
| CVE-2019-11494 | medium | — | 5.5 | — | In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login service crashes when the client disconnects prematurely during the AUTH command. | |
| CVE-2019-12209 | medium | — | 5.5 | — | Yubico pam-u2f 1.0.7 attempts parsing of the configured authfile (default $HOME/.config/Yubico/u2f_keys) as root (unless openasuser was enabled), and does not properly verify that the path lacks syml… | |
| CVE-2019-20093 | medium | — | 5.5 | — | The PoDoFo::PdfVariant::DelayedLoad function in PdfVariant.h in PoDoFo 0.9.6 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file, because of ImageExtrac… | |
| CVE-2019-10146 | medium | — | 5.5 | — | Moderate: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update | |
| CVE-2019-15043 | medium | — | 5.5 | — | denial of service in grafana | |
| CVE-2019-15945 | medium | — | 5.5 | — | OpenSC before 0.20.0-rc1 has an out-of-bounds access of an ASN.1 Bitstring in decode_bit_string in libopensc/asn1.c. | |
| CVE-2019-3832 | medium | — | 5.5 | — | It was discovered the fix for CVE-2018-19758 (libsndfile) was not complete and still allows a read beyond the limits of a buffer in wav_write_header() function in wav.c. A local attacker may use this… | |
| CVE-2019-5719 | medium | — | 5.5 | — | In Wireshark 2.6.0 to 2.6.5 and 2.4.0 to 2.4.11, the ISAKMP dissector could crash. This was addressed in epan/dissectors/packet-isakmp.c by properly handling the case of a missing decryption data blo… | |
| CVE-2019-25041 | medium | — | 5.5 | — | Unbound before 1.9.5 allows an assertion failure via a compressed name in dname_pkt_copy. NOTE: The vendor disputes that this is a vulnerability. Although the code may be vulnerable, a running Unboun… | |
| CVE-2019-16378 | medium | — | 5.5 | — | OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1 is prone to a signature-bypass vulnerability with multiple From: addresses, which might affect applications that consider a domain name to be rel… | |
| CVE-2019-5716 | medium | — | 5.5 | — | In Wireshark 2.6.0 to 2.6.5, the 6LoWPAN dissector could crash. This was addressed in epan/dissectors/packet-6lowpan.c by avoiding use of a TVB before its creation. | |
| CVE-2019-13615 | medium | — | 5.5 | — | libebml before 1.3.6, as used in the MKV module in VideoLAN VLC Media Player binaries before 3.0.3, has a heap-based buffer over-read in EbmlElement::FindNextElement. | |
| CVE-2019-25040 | medium | — | 5.5 | — | Unbound before 1.9.5 allows an infinite loop via a compressed name in dname_pkt_copy. NOTE: The vendor disputes that this is a vulnerability. Although the code may be vulnerable, a running Unbound in… | |
| CVE-2019-10723 | medium | — | 5.5 | — | An issue was discovered in PoDoFo 0.9.6. The PdfPagesTreeCache class in doc/PdfPagesTreeCache.cpp has an attempted excessive memory allocation because nInitialSize is not validated. | |
| CVE-2019-25037 | medium | — | 5.5 | — | Unbound before 1.9.5 allows an assertion failure and denial of service in dname_pkt_copy via an invalid packet. NOTE: The vendor disputes that this is a vulnerability. Although the code may be vulner… | |
| CVE-2019-25032 | medium | — | 5.5 | — | Unbound before 1.9.5 allows an integer overflow in the regional allocator via regional_alloc. NOTE: The vendor disputes that this is a vulnerability. Although the code may be vulnerable, a running Un… | |
| CVE-2019-5717 | medium | — | 5.5 | — | In Wireshark 2.6.0 to 2.6.5 and 2.4.0 to 2.4.11, the P_MUL dissector could crash. This was addressed in epan/dissectors/packet-p_mul.c by rejecting the invalid sequence number of zero. | |
| CVE-2019-20790 | medium | — | 5.5 | — | OpenDMARC through 1.3.2 and 1.4.x, when used with pypolicyd-spf 2.0.2, allows attacks that bypass SPF and DMARC authentication in situations where the HELO field is inconsistent with the MAIL FROM fi… | |
| CVE-2019-19917 | medium | — | 5.5 | — | arbitrary code execution in lout | |
| CVE-2019-17023 | medium | — | 5.5 | — | After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state,… | |
| CVE-2019-25035 | medium | — | 5.5 | — | Unbound before 1.9.5 allows an out-of-bounds write in sldns_bget_token_par. NOTE: The vendor disputes that this is a vulnerability. Although the code may be vulnerable, a running Unbound installation… | |
| CVE-2019-6476 | medium | — | 5.5 | — | A defect in code added to support QNAME minimization can cause named to exit with an assertion failure if a forwarder returns a referral rather than resolving the query. This affects BIND versions 9.… | |
| CVE-2019-25042 | medium | — | 5.5 | — | Unbound before 1.9.5 allows an out-of-bounds write via a compressed name in rdata_copy. NOTE: The vendor disputes that this is a vulnerability. Although the code may be vulnerable, a running Unbound … | |
| CVE-2019-10691 | medium | — | 5.5 | — | The JSON encoder in Dovecot before 2.3.5.2 allows attackers to repeatedly crash the authentication service by attempting to authenticate with an invalid UTF-8 sequence as the username. | |
| CVE-2019-15946 | medium | — | 5.5 | — | OpenSC before 0.20.0-rc1 has an out-of-bounds access of an ASN.1 Octet string in asn1_decode_entry in libopensc/asn1.c. |