CVEs from 2021
Total
4,816
critical
critical 279
high
high 1,005
medium
medium 1,166
low
low 138
% Critical
5.8%
% with KEV
4.4%
% with exploit
5.3%
Top vendors
Top products
- office 13
- primavera_gateway 10
- weblogic_server 9
- modicon_m340_bmxp342020 8
- log4j 8
- primavera_unifier 8
- retail_service_backbone 7
- communications_unified_inventory_management 7
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-39149 | unknown | — | — | 5y ago | XStream is vulnerable to an Arbitrary Code Execution attack | |||
| CVE-2021-39150 | unknown | — | — | 5y ago | A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host | |||
| CVE-2021-39151 | unknown | — | — | 5y ago | XStream is vulnerable to an Arbitrary Code Execution attack | |||
| CVE-2021-39152 | unknown | — | — | 5y ago | A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host | |||
| CVE-2021-39153 | unknown | — | — | 5y ago | XStream is vulnerable to an Arbitrary Code Execution attack | |||
| CVE-2021-39154 | unknown | — | — | 5y ago | XStream is vulnerable to an Arbitrary Code Execution attack | |||
| CVE-2021-37714 | unknown | — | — | 5y ago | Uncaught Exception in jsoup | |||
| CVE-2021-33348 | unknown | — | — | 5y ago | Cross-site scripting in jfinal | |||
| CVE-2021-26920 | unknown | — | — | 5y ago | Druid ingestion system Authenticated users can read data from other sources than intended | |||
| CVE-2021-33192 | unknown | — | — | 5y ago | Cross-site scripting in Apache Jena Fuseki | |||
| CVE-2021-30640 | unknown | — | — | 5y ago | Authentication Bypass by Alternate Name in Apache Tomcat | |||
| CVE-2021-33037 | unknown | — | — | 5y ago | HTTP Request Smuggling in Apache Tomcat | |||
| CVE-2021-30639 | unknown | — | — | 5y ago | Improper Handling of Exceptional Conditions in Apache Tomcat | |||
| CVE-2021-37578 | unknown | — | — | 5y ago | Deserialization of Untrusted Data in Apache jUDDI | |||
| CVE-2021-22144 | unknown | — | — | 5y ago | Denial of Service in Elasticsearch | |||
| CVE-2021-33900 | unknown | — | — | 5y ago | Missing encryption in Apache Directory Studio | |||
| CVE-2021-23408 | unknown | — | — | 5y ago | Prototype Pollution in GraphHopper | |||
| CVE-2021-35043 | unknown | — | — | 5y ago | Cross-site Scripting in OWASP AntiSamy | |||
| CVE-2021-36090 | unknown | — | — | 5y ago | Improper Handling of Length Parameter Inconsistency in Compress | |||
| CVE-2021-35517 | unknown | — | — | 5y ago | Improper Handling of Length Parameter Inconsistency in Compress | |||
| CVE-2021-35516 | unknown | — | — | 5y ago | Improper Handling of Length Parameter Inconsistency in Compress | |||
| CVE-2021-35515 | unknown | — | — | 5y ago | Excessive Iteration in Compress | |||
| CVE-2021-30129 | unknown | — | — | 5y ago | Buffer Overflow in Apache Mina SSHD | |||
| CVE-2021-32769 | unknown | — | — | 5y ago | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in micronaut-core | |||
| CVE-2021-32012 | unknown | — | — | 5y ago | Denial of Service in SheetJS Pro | |||
| CVE-2021-32013 | unknown | — | — | 5y ago | Denial of Service in SheetsJS Pro | |||
| CVE-2021-32014 | unknown | — | — | 5y ago | Denial of Service in SheetJS Pro | |||
| CVE-2021-3637 | unknown | — | — | 5y ago | Allocation of resources without limits or throttling in keycloak-model-infinispan | |||
| CVE-2021-38193 | unknown | — | — | 5y ago | An issue was discovered in the ammonia crate before 3.1.0 for Rust. XSS can occur because the parsing differences for HTML, SVG, and MathML are mishandled, a similar issue to CVE-2020-26870. | |||
| CVE-2021-38191 | unknown | — | — | 5y ago | An issue was discovered in the tokio crate before 1.8.1 for Rust. Upon a JoinHandle::abort, a Task may be dropped in the wrong thread. | |||
| CVE-2021-32729 | unknown | — | — | 5y ago | A user without PR can reset user authentication failures information | |||
| CVE-2021-32730 | unknown | — | — | 5y ago | No CSRF protection on the password change form | |||
| CVE-2021-32731 | unknown | — | — | 5y ago | The reset password form reveal users email address | |||
| CVE-2021-21672 | unknown | — | — | 5y ago | XXE vulnerability in Jenkins Selenium HTML report Plugin | |||
| CVE-2021-22119 | unknown | — | — | 5y ago | Resource Exhaustion in Spring Security | |||
| CVE-2021-22135 | unknown | — | — | 5y ago | API information disclosure flaw in Elasticsearch | |||
| CVE-2021-29479 | unknown | — | — | 5y ago | Cached redirect poisoning via X-Forwarded-Host header | |||
| CVE-2021-29480 | unknown | — | — | 5y ago | Ratpack's default client side session signing key is highly predictable | |||
| CVE-2021-29481 | unknown | — | — | 5y ago | Unencrypted storage of client side sessions | |||
| CVE-2021-29485 | unknown | — | — | 5y ago | Remote Code Execution Vulnerability in Session Storage | |||
| CVE-2021-33604 | unknown | — | — | 5y ago | Reflected cross-site scripting in development mode handler in Vaadin 14, 15-19 | |||
| CVE-2021-31412 | unknown | — | — | 5y ago | Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-19 | |||
| CVE-2021-34428 | unknown | — | — | 5y ago | SessionListener can prevent a session from being invalidated breaking logout | |||
| CVE-2021-32693 | unknown | — | — | 5y ago | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. A vulnerability related to firewall authentication is in Symfony starting with version 5.3.0 and prio… | |||
| CVE-2021-32623 | unknown | — | — | 5y ago | Billion laughs attack (XML bomb) | |||
| CVE-2021-27568 | unknown | — | — | 5y ago | Improper Check for Unusual or Exceptional Conditions in json-smart | |||
| CVE-2021-27807 | unknown | — | — | 5y ago | Excessive Iteration Denial of Service in Apache PDFBox | |||
| CVE-2021-23331 | unknown | — | — | 5y ago | Insecure temporary file used in com.squareup:connect | |||
| CVE-2021-26919 | unknown | — | — | 5y ago | Arbitrary code execution in Apache Druid | |||
| CVE-2021-20220 | unknown | — | — | 5y ago | HTTP request smuggling in Undertow | |||
| CVE-2021-25122 | unknown | — | — | 5y ago | Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat | |||
| CVE-2021-27576 | unknown | — | — | 5y ago | Uncontrolled Resource Consumption in Apache OpenMeetings server | |||
| CVE-2021-26117 | unknown | — | — | 5y ago | Improper Authentication in Apache ActiveMQ and Apache Artemis | |||
| CVE-2021-26118 | unknown | — | — | 5y ago | Apache ActiveMQ Artemis vulnerable to Improper Access Control | |||
| CVE-2021-23926 | unknown | — | — | 5y ago | Improper Restriction of Recursive Entity References in Apache XMLBeans | |||
| CVE-2021-23899 | unknown | — | — | 5y ago | Arbitrary code injection in json-sanitizer | |||
| CVE-2021-26296 | unknown | — | — | 5y ago | Cryptographically weak CSRF tokens in Apache MyFaces | |||
| CVE-2021-21620 | unknown | — | — | 5y ago | Cross-Site Request Forgery in the Jenkins Claim plugin | |||
| CVE-2021-21654 | unknown | — | — | 5y ago | Missing Authorization in Jenkins P4 plugin | |||
| CVE-2021-21653 | unknown | — | — | 5y ago | Missing Authorization in jenkins xray-connector | |||
| CVE-2021-21651 | unknown | — | — | 5y ago | Missing Authorization in Jenkins S3 publisher Plugin | |||
| CVE-2021-21650 | unknown | — | — | 5y ago | Missing Authorization in Jenkins S3 publisher Plugin | |||
| CVE-2021-21652 | unknown | — | — | 5y ago | CSRF vulnerability in Jenkins Xray - Test Management for Jira Plugin allows capturing credentials | |||
| CVE-2021-21649 | unknown | — | — | 5y ago | Cross-site Scripting in Jenkins Dashboard View Plugin | |||
| CVE-2021-21648 | unknown | — | — | 5y ago | Cross-Site Request Forgery in Jenkins Credentials Plugin | |||
| CVE-2021-26077 | unknown | — | — | 5y ago | Improper Authentication in Atlassian Connect Spring Boot | |||
| CVE-2021-32053 | unknown | — | — | 5y ago | Uncontrolled Resource Consumption in JPA Server in HAPI FHIR | |||
| CVE-2021-31164 | unknown | — | — | 5y ago | Command injection in Apache Unomi | |||
| CVE-2021-21661 | unknown | — | — | 5y ago | Missing Authorization in Jenkins Kubernetes CLI Plugin | |||
| CVE-2021-21666 | unknown | — | — | 5y ago | Cross-site scripting in Jenkins Kiuwan Plugin | |||
| CVE-2021-20293 | unknown | — | — | 5y ago | Cross-Site Scripting | |||
| CVE-2021-31811 | unknown | — | — | 5y ago | Uncontrolled memory consumption | |||
| CVE-2021-31812 | unknown | — | — | 5y ago | Infinite Loop in Apache PDFBox | |||
| CVE-2021-28169 | unknown | — | — | 5y ago | Jetty Utility Servlets ConcatServlet Double Decoding Information Disclosure Vulnerability | |||
| CVE-2021-22160 | unknown | — | — | 5y ago | Improper Verification of Cryptographic Signature in Apache Pulsar in TensorFlow | |||
| CVE-2021-32643 | unknown | — | — | 5y ago | StaticFile.fromUrl can leak presence of a directory | |||
| CVE-2021-25933 | unknown | — | — | 5y ago | Cross-site Scripting in OpenNMS Horizon | |||
| CVE-2021-25929 | unknown | — | — | 5y ago | Cross-site Scripting in OpenNMS Horizon | |||
| CVE-2021-25931 | unknown | — | — | 5y ago | Cross-Site Request Forgery in OpenNMS Horizon | |||
| CVE-2021-25930 | unknown | — | — | 5y ago | Cross-Site Request Forgery in OpenNMS Horizon | |||
| CVE-2021-3536 | unknown | — | — | 5y ago | Cross-site Scripting in Wildfly | |||
| CVE-2021-29506 | unknown | — | — | 5y ago | Navigate endpoint is vulnerable to regex injection that may lead to Denial of Service. | |||
| CVE-2021-29505 | unknown | — | — | 5y ago | XStream is vulnerable to a Remote Command Execution attack | |||
| CVE-2021-32620 | unknown | — | — | 5y ago | XWiki users registered with email verification can self re-activate their disabled accounts | |||
| CVE-2021-32621 | unknown | — | — | 5y ago | Script injection without script or programming rights through Gadget titles | |||
| CVE-2021-23900 | unknown | — | — | 5y ago | Uncaught Exception leading to Denial of Service in json-sanitizer | |||
| CVE-2021-27582 | unknown | — | — | 5y ago | Autobinding vulnerability in MITREid Connect | |||
| CVE-2021-21043 | unknown | — | — | 5y ago | Reflected Cross-site Scripting (XSS) in ACS Commons | |||
| CVE-2021-22696 | unknown | — | — | 5y ago | Authorization service vulnerable to DDos attacks in Apache CFX | |||
| CVE-2021-26715 | unknown | — | — | 5y ago | Server Side Request Forgery (SSRF) in org.mitre:openid-connect-server | |||
| CVE-2021-26544 | unknown | — | — | 5y ago | Apache Livy Cross-site scripting (XSS) in session names | |||
| CVE-2021-27906 | unknown | — | — | 5y ago | Uncontrolled Memory Allocation in Apache PDFBox | |||
| CVE-2021-21424 | unknown | — | — | 5y ago | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling de… | |||
| CVE-2021-23368 | unknown | — | — | 5y ago | The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing. | |||
| CVE-2021-28657 | unknown | — | — | 5y ago | Infinite loop in Apache Tika | |||
| CVE-2021-26074 | unknown | — | — | 5y ago | Broken Authentication in Atlassian Connect Spring Boot | |||
| CVE-2021-22113 | unknown | — | — | 5y ago | Incorrect Authorization in Spring Cloud Netflix Zuul | |||
| CVE-2021-23339 | unknown | — | — | 5y ago | HTTP Request Smuggling in akka-http-core | |||
| CVE-2021-31411 | unknown | — | — | 5y ago | Insecure temporary directory usage in frontend build functionality of Vaadin 14 and 15-19 | |||
| CVE-2021-31409 | unknown | — | — | 5y ago | Regular expression Denial of Service (ReDoS) in EmailValidator class in V7 compatibility module in Vaadin 8 |