CVEs from 2021
Total
4,816
critical
critical 279
high
high 1,005
medium
medium 1,166
low
low 138
% Critical
5.8%
% with KEV
4.4%
% with exploit
5.3%
Top vendors
Top products
- office 13
- primavera_gateway 10
- weblogic_server 9
- modicon_m340_bmxp342020 8
- log4j 8
- primavera_unifier 8
- retail_service_backbone 7
- communications_unified_inventory_management 7
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-40111 | unknown | — | — | 5y ago | Infinite Loop in Apache James | |||
| CVE-2021-38542 | unknown | — | — | 5y ago | Command Injection in Apache James | |||
| CVE-2021-40110 | unknown | — | — | 5y ago | Denial of Service in Apache James | |||
| CVE-2021-44878 | unknown | — | — | 5y ago | Pac4j token validation bypass if OpenID Connect provider supports none algorithm | |||
| CVE-2021-23382 | unknown | — | — | 5y ago | The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused … | |||
| CVE-2021-33430 | unknown | — | — | 5y ago | A Buffer Overflow vulnerability exists in NumPy 1.9.x in the PyArray_NewFromDescr_int function of ctors.c when specifying arrays of large dimensions (over 32) from Python code, which could let a mali… | |||
| CVE-2021-22569 | unknown | — | — | 5y ago | A potential Denial of Service issue in protobuf-java | |||
| CVE-2021-41561 | unknown | — | — | 5y ago | Improper Input Validation in Parquet-MR | |||
| CVE-2021-42392 | unknown | — | — | 5y ago | RCE in H2 Console | |||
| CVE-2021-34797 | unknown | — | — | 5y ago | Insertion of Sensitive Information into Log File in Apache Geode | |||
| CVE-2021-44548 | unknown | — | — | 5y ago | Apache Solr Improper Input Validation and Path Traversal | |||
| CVE-2021-21667 | unknown | — | — | 5y ago | Stored XSS vulnerability in Jenkins Scriptler Plugin | |||
| CVE-2021-21668 | unknown | — | — | 5y ago | Stored XSS vulnerability in Jenkins Scriptler Plugin | |||
| CVE-2021-29061 | unknown | — | — | 5y ago | ReDOS in Vfsjfilechooser2 | |||
| CVE-2021-30468 | unknown | — | — | 5y ago | Infinite loop in Apache CFX | |||
| CVE-2021-4133 | unknown | — | — | 5y ago | Improper Authorization in Keycloak | |||
| CVE-2021-44145 | unknown | — | — | 5y ago | Exposure of Sensitive Information to an Unauthorized Actor in Apache NiFi | |||
| CVE-2021-45943 | unknown | — | — | 5y ago | GDAL 3.3.0 through 3.4.0 has a heap-based buffer overflow in PCIDSK::CPCIDSKFile::ReadFromFile (called from PCIDSK::CPCIDSKSegment::ReadFromFile and PCIDSK::CPCIDSKBinarySegment::CPCIDSKBinarySegment… | |||
| CVE-2021-34141 | unknown | — | — | 5y ago | An incomplete string comparison in the numpy.core component in NumPy before 1.22.0 allows attackers to trigger slightly incorrect copying by constructing specific string objects. NOTE: the vendor sta… | |||
| CVE-2021-23264 | unknown | — | — | 5y ago | Exposure of Resource to Wrong Sphere in org.craftercms:crafter-search | |||
| CVE-2021-23463 | unknown | — | — | 5y ago | Improper Restriction of XML External Entity Reference in com.h2database:h2. | |||
| CVE-2021-44549 | unknown | — | — | 5y ago | Improper Certificate Validation and Improper Validation of Certificate with Host Mismatch in Apache Sling Commons Messaging Mail | |||
| CVE-2021-43113 | unknown | — | — | 5y ago | Command injection in itext7-core | |||
| CVE-2021-43821 | unknown | — | — | 5y ago | Files Accessible to External Parties in Opencast | |||
| CVE-2021-43807 | unknown | — | — | 5y ago | HTTP Method Spoofing | |||
| CVE-2021-42567 | unknown | — | — | 5y ago | Cross-site Scripting in Apereo CAS | |||
| CVE-2021-43795 | unknown | — | — | 5y ago | Path Traversal in com.linecorp.armeria:armeria | |||
| CVE-2021-40369 | unknown | — | — | 5y ago | Apache JSPWiki Cross-site Scripting due to carefully crafted plugin link invocation | |||
| CVE-2021-22095 | unknown | — | — | 5y ago | Deserialization of Untrusted Data in Spring AMQP | |||
| CVE-2021-44140 | unknown | — | — | 5y ago | Incorrect Default Permissions in Apache JSPWiki | |||
| CVE-2021-40830 | unknown | — | — | 5y ago | Improper certificate management in AWS IoT Device SDK v2 | |||
| CVE-2021-40829 | unknown | — | — | 5y ago | Improper certificate management in AWS IoT Device SDK v2 | |||
| CVE-2021-40828 | unknown | — | — | 5y ago | Improper certificate management in AWS IoT Device SDK v2 | |||
| CVE-2021-41270 | unknown | — | — | 5y ago | Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 bef… | |||
| CVE-2021-40831 | unknown | — | — | 5y ago | Improper certificate management in AWS IoT Device SDK v2 | |||
| CVE-2021-41268 | unknown | — | — | 5y ago | Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie in version… | |||
| CVE-2021-41267 | unknown | — | — | 5y ago | Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the "trusted_headers"… | |||
| CVE-2021-39231 | unknown | — | — | 5y ago | Exposure of sensitive information in Apache Ozone | |||
| CVE-2021-39233 | unknown | — | — | 5y ago | Incorrect Authorization in Apache Ozone | |||
| CVE-2021-41532 | unknown | — | — | 5y ago | Apache Ozone exposes OM, SCM and Datanode metadata | |||
| CVE-2021-39235 | unknown | — | — | 5y ago | Incorrect permissions in Apache Ozone | |||
| CVE-2021-36372 | unknown | — | — | 5y ago | Improper Privilege Management in Apache Ozone | |||
| CVE-2021-39232 | unknown | — | — | 5y ago | Incorrect Authorization in Apache Ozone | |||
| CVE-2021-39236 | unknown | — | — | 5y ago | Apache Ozone user impersonation due to non-validation of Ozone S3 tokens | |||
| CVE-2021-39234 | unknown | — | — | 5y ago | Incorrect Authorization in Apache Ozone | |||
| CVE-2021-22053 | unknown | — | — | 5y ago | Code injection in spring-cloud-netflix-hystrix-dashboard | |||
| CVE-2021-37580 | unknown | — | — | 5y ago | Improper Authentication in Apache ShenYu Admin | |||
| CVE-2021-45710 | unknown | — | — | 5y ago | An issue was discovered in the tokio crate before 1.8.4, and 1.9.x through 1.13.x before 1.13.1, for Rust. In certain circumstances involving a closed oneshot channel, there is a data race and memory… | |||
| CVE-2021-41269 | unknown | — | — | 5y ago | Critical vulnerability found in cron-utils | |||
| CVE-2021-43570 | unknown | — | — | 5y ago | Improper Verification of Cryptographic Signature in starkbank-ecdsa | |||
| CVE-2021-43466 | unknown | — | — | 5y ago | Template injection in thymeleaf-spring5 | |||
| CVE-2021-22051 | unknown | — | — | 5y ago | Request injection in Spring Cloud Gateway | |||
| CVE-2021-33611 | unknown | — | — | 5y ago | Reflected cross-site scripting in vaadin-menu-bar webjar resources in Vaadin 14 | |||
| CVE-2021-41973 | unknown | — | — | 5y ago | Infinite loop in Apache MINA | |||
| CVE-2021-27644 | unknown | — | — | 5y ago | SQL injection in Apache DolphinScheduler | |||
| CVE-2021-41189 | unknown | — | — | 5y ago | Communities and collections administrators can escalate their privilege up to system administrator | |||
| CVE-2021-40865 | unknown | — | — | 5y ago | Deserialization of Untrusted Data leading to Remote Code Execution in Apache Storm | |||
| CVE-2021-41182 | unknown | — | — | 5y ago | XSS in the `altField` option of the Datepicker widget in jquery-ui | |||
| CVE-2021-41183 | unknown | — | — | 5y ago | XSS in `*Text` options of the Datepicker widget in jquery-ui | |||
| CVE-2021-41184 | unknown | — | — | 5y ago | XSS in the `of` option of the `.position()` util in jquery-ui | |||
| CVE-2021-42575 | unknown | — | — | 5y ago | Policies not properly enforced in OWASP Java HTML Sanitizer | |||
| CVE-2021-33609 | unknown | — | — | 5y ago | Denial of service in DataCommunicator class in Vaadin 8 | |||
| CVE-2021-25738 | unknown | — | — | 5y ago | Code injection in Kubernetes Java Client | |||
| CVE-2021-3312 | unknown | — | — | 5y ago | XML External Entity Reference in org.opencms:opencms-core | |||
| CVE-2021-28170 | unknown | — | — | 5y ago | Improper Input Validation in Jakarta Expression Language | |||
| CVE-2021-41862 | unknown | — | — | 5y ago | Expression injection in AviatorScript | |||
| CVE-2021-41616 | unknown | — | — | 5y ago | Deserialization of Untrusted Data in org.apache.ddlutils:ddlutils | |||
| CVE-2021-25959 | unknown | — | — | 5y ago | Cross-site Scripting in OpenCRX | |||
| CVE-2021-36749 | unknown | — | — | 5y ago | Druid ingestion system Authenticated users can read data from other sources than intended | |||
| CVE-2021-38153 | unknown | — | — | 5y ago | Observable Discrepancy in Apache Kafka | |||
| CVE-2021-41084 | unknown | — | — | 5y ago | Response Splitting from unsanitized headers | |||
| CVE-2021-26333 | unknown | — | — | 5y ago | An information disclosure vulnerability exists in AMD Platform Security Processor (PSP) chipset driver. The discretionary access control list (DACL) may allow low privileged users to open a handle an… | |||
| CVE-2021-40690 | unknown | — | — | 5y ago | Exposure of Sensitive Information to an Unauthorized Actor in Apache Santuario | |||
| CVE-2021-41079 | unknown | — | — | 5y ago | Infinite loop in Tomcat due to parsing error | |||
| CVE-2021-22147 | unknown | — | — | 5y ago | Exposure of sensitive information in Elasticsearch | |||
| CVE-2021-39239 | unknown | — | — | 5y ago | XML External Entity Reference in Apache Jena | |||
| CVE-2021-41303 | unknown | — | — | 5y ago | Apache Shiro vulnerable to a specially crafted HTTP request causing an authentication bypass | |||
| CVE-2021-40146 | unknown | — | — | 5y ago | Remote Code Execution in Any23 | |||
| CVE-2021-38555 | unknown | — | — | 5y ago | XML Injection in Any23 | |||
| CVE-2021-37579 | unknown | — | — | 5y ago | Security check skip in Apache Dubbo | |||
| CVE-2021-36161 | unknown | — | — | 5y ago | Remote Code Execution in Apache Dubbo | |||
| CVE-2021-36162 | unknown | — | — | 5y ago | Remote Code Execution in Apache Dubbo | |||
| CVE-2021-36163 | unknown | — | — | 5y ago | Hessian protocol configuration vulnerability in Apache Dubbo | |||
| CVE-2021-40143 | unknown | — | — | 5y ago | HTTP header injection in Sonatype Nexus Repository | |||
| CVE-2021-39194 | unknown | — | — | 5y ago | Improper Handling of Missing Values in kaml | |||
| CVE-2021-39177 | unknown | — | — | 5y ago | User impersonation due to incorrect handling of the login JWT | |||
| CVE-2021-27578 | unknown | — | — | 5y ago | Cross-site Scripting in Apache Zeppelin | |||
| CVE-2021-39185 | unknown | — | — | 5y ago | Default CORS config allows any origin with credentials | |||
| CVE-2021-34371 | unknown | — | — | 5y ago | Deserialization of Untrusted Data in Neo4j | |||
| CVE-2021-39132 | unknown | — | — | 5y ago | YAML deserialization can run untrusted code | |||
| CVE-2021-39133 | unknown | — | — | 5y ago | Cross-Site Request Forgery (CSRF) can run untrusted code on Rundeck server | |||
| CVE-2021-32827 | unknown | — | — | 5y ago | Injection in MockServer | |||
| CVE-2021-33605 | unknown | — | — | 5y ago | Unauthorized property update in CheckboxGroup component in Vaadin 12-14 and 15-20 | |||
| CVE-2021-39139 | unknown | — | — | 5y ago | XStream is vulnerable to an Arbitrary Code Execution attack | |||
| CVE-2021-39140 | unknown | — | — | 5y ago | XStream can cause a Denial of Service | |||
| CVE-2021-39141 | unknown | — | — | 5y ago | XStream is vulnerable to an Arbitrary Code Execution attack | |||
| CVE-2021-39145 | unknown | — | — | 5y ago | XStream is vulnerable to an Arbitrary Code Execution attack | |||
| CVE-2021-39146 | unknown | — | — | 5y ago | XStream is vulnerable to an Arbitrary Code Execution attack | |||
| CVE-2021-39147 | unknown | — | — | 5y ago | XStream is vulnerable to an Arbitrary Code Execution attack | |||
| CVE-2021-39148 | unknown | — | — | 5y ago | XStream is vulnerable to an Arbitrary Code Execution attack |