CVEs from 2020
Total
3,973
critical
critical 184
high
high 576
medium
medium 738
low
low 59
% Critical
4.6%
% with KEV
3.7%
% with exploit
5.1%
Top vendors
Top products
- retail_xstore_point_of_service 33
- banking_digital_experience 30
- primavera_unifier 29
- retail_service_backbone 15
- financial_services_institutional_performance_analytics 13
- insurance_policy_administration_j2ee 11
- communications_network_charging_and_control 10
- enterprise_manager_base_platform 10
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-35211 | unknown | — | — | 5y ago | An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to become the lead node. | |||
| CVE-2020-1940 | unknown | — | — | 5y ago | Improper Removal of Sensitive Information Before Storage or Transfer in Apache Jackrabbit Oak | |||
| CVE-2020-36282 | unknown | — | — | 5y ago | Unsafe Deserialization that can Result in Code Execution | |||
| CVE-2020-28491 | unknown | — | — | 5y ago | Denial of Service (DoS) in Jackson Dataformat CBOR | |||
| CVE-2020-36189 | unknown | — | — | 5y ago | Unsafe Deserialization in jackson-databind | |||
| CVE-2020-36187 | unknown | — | — | 5y ago | Unsafe Deserialization in jackson-databind | |||
| CVE-2020-36188 | unknown | — | — | 5y ago | Unsafe Deserialization in jackson-databind | |||
| CVE-2020-36184 | unknown | — | — | 5y ago | Unsafe Deserialization in jackson-databind | |||
| CVE-2020-36180 | unknown | — | — | 5y ago | Unsafe Deserialization in jackson-databind | |||
| CVE-2020-36181 | unknown | — | — | 5y ago | Unsafe Deserialization in jackson-databind | |||
| CVE-2020-36185 | unknown | — | — | 5y ago | Unsafe Deserialization in jackson-databind | |||
| CVE-2020-36179 | unknown | — | — | 5y ago | Unsafe Deserialization in jackson-databind | |||
| CVE-2020-36182 | unknown | — | — | 5y ago | Unsafe Deserialization in jackson-databind | |||
| CVE-2020-24750 | unknown | — | — | 5y ago | Unsafe Deserialization in jackson-databind | |||
| CVE-2020-35491 | unknown | — | — | 5y ago | Serialization gadgets exploit in jackson-databind | |||
| CVE-2020-35490 | unknown | — | — | 5y ago | Serialization gadgets exploit in jackson-databind | |||
| CVE-2020-24616 | unknown | — | — | 5y ago | Code Injection in jackson-databind | |||
| CVE-2020-36186 | unknown | — | — | 5y ago | Unsafe Deserialization in jackson-databind | |||
| CVE-2020-14389 | unknown | — | — | 5y ago | Improper privilege management in Keycloak | |||
| CVE-2020-29204 | unknown | — | — | 5y ago | Cross-site Scripting in XXL-JOB | |||
| CVE-2020-8897 | unknown | — | — | 5y ago | Security issues in AWS KMS and AWS Encryption SDKs: in-band protocol negotiation and robustness | |||
| CVE-2020-7692 | unknown | — | — | 5y ago | Improper Authorization in Google OAuth Client | |||
| CVE-2020-21122 | unknown | — | — | 5y ago | Server-Side Request Forgery in UReport | |||
| CVE-2020-21125 | unknown | — | — | 5y ago | Remote code execution in UReport | |||
| CVE-2020-1744 | unknown | — | — | 5y ago | Exposure of Sensitive Information in keycloak | |||
| CVE-2020-13929 | unknown | — | — | 5y ago | Authentication bypass in Apache Zeppelin | |||
| CVE-2020-6950 | unknown | — | — | 5y ago | Directory traversal in Eclipse Mojarra | |||
| CVE-2020-15522 | unknown | — | — | 5y ago | Timing based private key exposure in Bouncy Castle | |||
| CVE-2020-27178 | unknown | — | — | 5y ago | Improper Authentication in Apereo CAS | |||
| CVE-2020-19676 | unknown | — | — | 5y ago | Incorrect Access Control in Nacos | |||
| CVE-2020-12642 | unknown | — | — | 5y ago | XXE vulnerability in Launch import | |||
| CVE-2020-11977 | unknown | — | — | 5y ago | Shell command injection in Apache Syncope | |||
| CVE-2020-1959 | unknown | — | — | 5y ago | Expression Language Injection in Apache Syncope | |||
| CVE-2020-1961 | unknown | — | — | 5y ago | Injection in Apache Syncope | |||
| CVE-2020-10688 | unknown | — | — | 5y ago | Cross-site scripting in RESTEasy | |||
| CVE-2020-12690 | unknown | — | — | 5y ago | An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a key… | |||
| CVE-2020-25724 | unknown | — | — | 5y ago | Unsynchronized Access to Shared Data in a Multithreaded Context in RESTEasy | |||
| CVE-2020-14340 | unknown | — | — | 5y ago | Uncontrolled Resource Consumption in XNIO | |||
| CVE-2020-1719 | unknown | — | — | 5y ago | Privilege Context Switching Error in wildlfy | |||
| CVE-2020-10693 | unknown | — | — | 5y ago | Improper Input Validation in Hibernate Validator | |||
| CVE-2020-25633 | unknown | — | — | 5y ago | Generation of Error Message Containing Sensitive Information in RESTEasy client | |||
| CVE-2020-11972 | unknown | — | — | 5y ago | Deserialization of Untrusted Data in Apache Camel RabbitMQ | |||
| CVE-2020-1960 | unknown | — | — | 5y ago | Command injection in Apache Flink | |||
| CVE-2020-11971 | unknown | — | — | 5y ago | Improper Input Validation in Apache Camel | |||
| CVE-2020-7709 | unknown | — | — | 5y ago | Prototype pollution in json-pointer | |||
| CVE-2020-10544 | unknown | — | — | 5y ago | Cross-site Scripting in PrimeFaces | |||
| CVE-2020-24554 | unknown | — | — | 5y ago | Open Redirect in Liferay Portal | |||
| CVE-2020-25020 | unknown | — | — | 5y ago | Improper Restriction of XML External Entity Reference in MPXJ | |||
| CVE-2020-9298 | unknown | — | — | 5y ago | Server-Side Request Forgery in Spinnaker Orca | |||
| CVE-2020-13933 | unknown | — | — | 5y ago | Authentication bypass in Apache Shiro | |||
| CVE-2020-11976 | unknown | — | — | 5y ago | Exposure of Sensitive Information to an Unauthorized Actor in Apache Wicket | |||
| CVE-2020-1951 | unknown | — | — | 5y ago | Infinite Loop in Apache Tika | |||
| CVE-2020-1950 | unknown | — | — | 5y ago | Uncontrolled Resource Consumption in Apache Tika | |||
| CVE-2020-9489 | unknown | — | — | 5y ago | Missing Release of Memory after Effective Lifetime in Apache Tika | |||
| CVE-2020-1957 | unknown | — | — | 5y ago | Improper Authentication in Apache Shiro | |||
| CVE-2020-11989 | unknown | — | — | 5y ago | Improper Authentication in Apache Shiro | |||
| CVE-2020-7712 | unknown | — | — | 5y ago | trentm/json vulnerable to command injection | |||
| CVE-2020-5421 | unknown | — | — | 5y ago | Improper Input Validation in Spring Framework | |||
| CVE-2020-5412 | unknown | — | — | 5y ago | Externally Controlled Reference to a Resource in Another Sphere and Confused Deputy in Spring Cloud Netflix | |||
| CVE-2020-10687 | unknown | — | — | 5y ago | HTTP Request Smuggling in Undertow | |||
| CVE-2020-10705 | unknown | — | — | 5y ago | Allocation of Resources Without Limits or Throttling in Undertow | |||
| CVE-2020-10719 | unknown | — | — | 5y ago | HTTP Request Smuggling in Undertow | |||
| CVE-2020-26939 | unknown | — | — | 5y ago | Observable Differences in Behavior to Error Inputs in Bouncy Castle | |||
| CVE-2020-35217 | unknown | — | — | 5y ago | Cross-Site Request Forgery in Vert.x-Web framework | |||
| CVE-2020-9447 | unknown | — | — | 5y ago | Cross-site Scripting in GwtUpload | |||
| CVE-2020-13954 | unknown | — | — | 5y ago | Cross-site scripting in Apache CXF | |||
| CVE-2020-7744 | unknown | — | — | 5y ago | Remote Code Execution and download tracking in Mintegral SDK | |||
| CVE-2020-26945 | unknown | — | — | 5y ago | "Deserialization errors in MyBatis" | |||
| CVE-2020-13955 | unknown | — | — | 5y ago | Missing Authentication for Critical Function in Apache Calcite | |||
| CVE-2020-17510 | unknown | — | — | 5y ago | Authentication bypass in Apache Shiro | |||
| CVE-2020-36319 | unknown | — | — | 5y ago | Potential sensitive data exposure in applications using Vaadin 15 | |||
| CVE-2020-36321 | unknown | — | — | 5y ago | Directory traversal in development mode handler in Vaadin 14 and 15-17 | |||
| CVE-2020-36320 | unknown | — | — | 5y ago | Regular expression denial of service (ReDoS) in EmailValidator class in Vaadin 7 | |||
| CVE-2020-8908 | unknown | — | — | 5y ago | Information Disclosure in Guava | |||
| CVE-2020-7014 | unknown | — | — | 5y ago | Privilege Escalation Flaw in Elasticsearch | |||
| CVE-2020-7020 | unknown | — | — | 5y ago | Privilege Context Switching Error in Elasticsearch | |||
| CVE-2020-13959 | unknown | — | — | 5y ago | Cross-site scripting (XSS) in Apache Velocity Tools | |||
| CVE-2020-27223 | unknown | — | — | 5y ago | DOS vulnerability for Quoted Quality CSV headers | |||
| CVE-2020-13697 | unknown | — | — | 5y ago | NanoHTTPD Cross-site Scripting vulnerability | |||
| CVE-2020-25649 | unknown | — | — | 5y ago | XML External Entity (XXE) Injection in Jackson Databind | |||
| CVE-2020-8570 | unknown | — | — | 5y ago | Path Traversal in the Java Kubernetes Client | |||
| CVE-2020-13922 | unknown | — | — | 6y ago | Incorrect Default Permissions in Apache DolphinScheduler | |||
| CVE-2020-26282 | unknown | — | — | 6y ago | Server-Side Template Injection | |||
| CVE-2020-26258 | unknown | — | — | 6y ago | Server-Side Forgery Request can be activated unmarshalling with XStream | |||
| CVE-2020-26259 | unknown | — | — | 6y ago | XStream vulnerable to an Arbitrary File Deletion on the local host when unmarshalling | |||
| CVE-2020-35460 | unknown | — | — | 6y ago | MPXJ path Traversal vulnerability | |||
| CVE-2020-26234 | unknown | — | — | 6y ago | Disabled Hostname Verification in Opencast | |||
| CVE-2020-27218 | unknown | — | — | 6y ago | Buffer not correctly recycled in Gzip Request inflation | |||
| CVE-2020-26238 | unknown | — | — | 6y ago | Template injection in cron-utils | |||
| CVE-2020-26237 | unknown | — | — | 6y ago | Highlight.js is a syntax highlighter written in JavaScript. Highlight.js versions before 9.18.2 and 10.1.2 are vulnerable to Prototype Pollution. A malicious HTML code block can be crafted that will … | |||
| CVE-2020-26217 | unknown | — | — | 6y ago | XStream can be used for Remote Code Execution | |||
| CVE-2020-27216 | unknown | — | — | 6y ago | Local Temp Directory Hijacking Vulnerability | |||
| CVE-2020-35922 | unknown | — | — | 6y ago | An issue was discovered in the mio crate before 0.7.6 for Rust. It has false expectations about the std::net::SocketAddr memory representation. | |||
| CVE-2020-8929 | unknown | — | — | 6y ago | Ciphertext Malleability Issue in Tink Java | |||
| CVE-2020-15252 | unknown | — | — | 6y ago | RCE in XWiki | |||
| CVE-2020-15170 | unknown | — | — | 6y ago | Potential access control security issue in apollo-adminservice | |||
| CVE-2020-15171 | unknown | — | — | 6y ago | Users with SCRIPT right can execute arbitrary code in XWiki | |||
| CVE-2020-24660 | unknown | — | — | 6y ago | An issue was discovered in LemonLDAP::NG through 2.0.8, when NGINX is used. An attacker may bypass URL-based access control to protected Virtual Hosts by submitting a non-normalized URI. This also af… | |||
| CVE-2020-15094 | unknown | — | — | 6y ago | In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X… | |||
| CVE-2020-12480 | unknown | — | — | 6y ago | CSRF in Play Framework |