CVEs from 2021
Total
6,087
critical
critical 273
high
high 975
medium
medium 1,141
low
low 135
% Critical
4.5%
% with KEV
3.5%
% with exploit
3.5%
Top products
- office 13
- 365_apps 6
- office_long_term_servicing_channel 6
- library_automation_system 5
- single_connect 4
- http_server 3
- solidfire 2
- student_information_management_system 2
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2021-32437 | medium | — | 5.5 | — | The gf_hinter_finalize function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command. | |
| CVE-2021-34549 | medium | — | 5.5 | — | An issue was discovered in Tor before 0.4.6.5, aka TROVE-2021-005. Hashing is mishandled for certain retrieval of circuit data. Consequently. an attacker can trigger the use of an attacker-chosen cir… | |
| CVE-2021-34550 | medium | — | 5.5 | — | An issue was discovered in Tor before 0.4.6.5, aka TROVE-2021-006. The v3 onion service descriptor parsing allows out-of-bounds memory access, and a client crash, via a crafted onion service descript… | |
| CVE-2021-22923 | medium | — | 5.5 | — | Moderate: curl security update | |
| CVE-2021-40540 | medium | — | 5.5 | — | ulfius_uri_logger in Ulfius HTTP Framework before 2.7.4 omits con_info initialization and a con_info->request NULL check for certain malformed HTTP requests. | |
| CVE-2021-21860 | medium | — | 5.5 | — | An exploitable integer truncation vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an i… | |
| CVE-2021-21853 | medium | — | 5.5 | — | Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause… | |
| CVE-2021-30474 | medium | — | 5.5 | — | multiple issues in aom | |
| CVE-2021-3755 | medium | — | 5.5 | — | arbitrary command execution in rsync | |
| CVE-2021-21851 | medium | — | 5.5 | — | Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input at “csgp”… | |
| CVE-2021-21844 | medium | — | 5.5 | — | Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input when enco… | |
| CVE-2021-21841 | medium | — | 5.5 | — | An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input when reading an … | |
| CVE-2021-42377 | medium | — | 5.5 | — | An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& strin… | |
| CVE-2021-42385 | medium | — | 5.5 | — | A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function | |
| CVE-2021-42383 | medium | — | 5.5 | — | A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function | |
| CVE-2021-40529 | medium | — | 5.5 | — | The ElGamal implementation in Botan through 2.18.1, as used in Thunderbird and other products, allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dan… | |
| CVE-2021-3623 | medium | — | 5.5 | — | A flaw was found in libtpms. The flaw can be triggered by specially-crafted TPM 2 command packets containing illegal values and may lead to an out-of-bounds access when the volatile state of the TPM … | |
| CVE-2021-32055 | medium | — | 5.5 | — | Mutt 1.11.0 through 2.0.x before 2.0.7 (and NeoMutt 2019-10-25 through 2021-05-04) has a $imap_qresync issue in which imap/util.c has an out-of-bounds read in situations where an IMAP sequence set en… | |
| CVE-2021-31259 | medium | — | 5.5 | — | The gf_isom_cenc_get_default_info_internal function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command. | |
| CVE-2021-41798 | medium | — | 5.5 | — | MediaWiki before 1.36.2 allows XSS. Month related MediaWiki messages are not escaped before being used on the Special:Search results page. | |
| CVE-2021-41799 | medium | — | 5.5 | — | MediaWiki before 1.36.2 allows a denial of service (resource consumption because of lengthy query processing time). ApiQueryBacklinks (action=query&list=backlinks) can cause a full table scan. | |
| CVE-2021-30158 | medium | — | 5.5 | — | An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Blocked users are unable to use Special:ResetTokens. This has security relevance because a blocked user mi… | |
| CVE-2021-33362 | medium | — | 5.5 | — | Stack buffer overflow in the hevc_parse_vps_extension function in MP4Box in GPAC 1.0.1 allows attackers to cause a denial of service or execute arbitrary code via a crafted file. | |
| CVE-2021-30004 | medium | — | 5.5 | — | In wpa_supplicant and hostapd 2.9, forging attacks may occur because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c. | |
| CVE-2021-28952 | medium | — | 5.5 | — | An issue was discovered in the Linux kernel through 5.11.8. The sound/soc/qcom/sdm845.c soundwire device driver has a buffer overflow when an unexpected port ID number is encountered, aka CID-1c668e1… | |
| CVE-2021-21836 | medium | — | 5.5 | — | An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input using the “ctts”… | |
| CVE-2021-3738 | medium | — | 5.5 | — | In DCE/RPC it is possible to share the handles (cookies for resource state) between multiple connections via a mechanism called 'association groups'. These handles can reference connections to our sa… | |
| CVE-2021-20292 | medium | — | 5.5 | — | There is a flaw reported in the Linux kernel in versions before 5.9 in drivers/gpu/drm/nouveau/nouveau_sgdma.c in nouveau_sgdma_create_ttm in Nouveau DRM subsystem. The issue results from the lack of… | |
| CVE-2021-29657 | medium | — | 5.5 | — | arch/x86/kvm/svm/nested.c in the Linux kernel before 5.11.12 has a use-after-free in which an AMD KVM guest can bypass access control on host OS MSRs when there are nested guests, aka CID-a58d9166a75… | |
| CVE-2021-23191 | medium | — | 5.5 | — | A security issue was found in htmldoc v1.9.12 and before. A NULL pointer dereference in the function image_load_jpeg() in image.cxx may result in denial of service. | |
| CVE-2021-32493 | medium | — | 5.5 | — | A flaw was found in djvulibre-3.5.28 and earlier. A heap buffer overflow in function DJVU::GBitmap::decode() via crafted djvu file may lead to application crash and other consequences. | |
| CVE-2021-20241 | medium | — | 5.5 | — | A flaw was found in ImageMagick in coders/jp2.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. The hig… | |
| CVE-2021-20243 | medium | — | 5.5 | — | A flaw was found in ImageMagick in MagickCore/resize.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. … | |
| CVE-2021-21381 | medium | — | 5.5 | — | Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In Flatpack since version 0.9.4 and before version 1.10.2 has a vulnerability in the "file forward… | |
| CVE-2021-30469 | medium | — | 5.5 | — | A flaw was found in PoDoFo 0.9.7. An use-after-free in PoDoFo::PdfVecObjects::Clear() function can cause a denial of service via a crafted PDF file. | |
| CVE-2021-32272 | medium | — | 5.5 | — | An issue was discovered in faad2 before 2.10.0. A heap-buffer-overflow exists in the function stszin located in mp4read.c. It allows an attacker to cause Code Execution. | |
| CVE-2021-26252 | medium | — | 5.5 | — | A flaw was found in htmldoc in v1.9.12. Heap buffer overflow in pspdf_prepare_page(),in ps-pdf.cxx may lead to execute arbitrary code and denial of service. | |
| CVE-2021-2163 | medium | — | 5.5 | — | Vulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u291, 8u281, 11.… | |
| CVE-2021-39212 | medium | — | 5.5 | — | ImageMagick is free software delivered as a ready-to-run binary distribution or as source code that you may use, copy, modify, and distribute in both open and proprietary applications. In affected ve… | |
| CVE-2021-38114 | medium | — | 5.5 | — | libavcodec/dnxhddec.c in FFmpeg 4.4 does not check the return value of the init_vlc function, a similar issue to CVE-2013-0868. | |
| CVE-2021-20271 | medium | — | 5.5 | — | A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature … | |
| CVE-2021-22922 | medium | — | 5.5 | — | Moderate: curl security update | |
| CVE-2021-31615 | medium | — | 5.5 | — | multiple issues in linux | |
| CVE-2021-32491 | medium | — | 5.5 | — | A flaw was found in djvulibre-3.5.28 and earlier. An integer overflow in function render() in tools/ddjvu via crafted djvu file may lead to application crash and other consequences. | |
| CVE-2021-3655 | medium | — | 5.5 | — | A vulnerability was found in the Linux kernel in versions prior to v5.14-rc1. Missing size validations on inbound SCTP packets may allow the kernel to read uninitialized memory. | |
| CVE-2021-24032 | medium | — | 5.5 | — | Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions… | |
| CVE-2021-28972 | medium | — | 5.5 | — | In drivers/pci/hotplug/rpadlpar_sysfs.c in the Linux kernel through 5.11.8, the RPA PCI Hotplug driver has a user-tolerable buffer overflow when writing a new device name to the driver from userspace… | |
| CVE-2021-23991 | medium | — | 5.5 | — | If a Thunderbird user has previously imported Alice's OpenPGP key, and Alice has extended the validity period of her key, but Alice's updated key has not yet been imported, an attacker may send an em… | |
| CVE-2021-4001 | medium | — | 5.5 | — | A race condition was found in the Linux kernel's ebpf verifier between bpf_map_update_elem and bpf_map_freeze due to a missing lock in kernel/bpf/syscall.c. In this flaw, a local user with a special … | |
| CVE-2021-26932 | medium | — | 5.5 | — | An issue was discovered in the Linux kernel 3.2 through 5.10.16, as used by Xen. Grant mapping operations often occur in batch hypercalls, where a number of operations are done in a single hypercall,… | |
| CVE-2021-28951 | medium | — | 5.5 | — | An issue was discovered in fs/io_uring.c in the Linux kernel through 5.11.8. It allows attackers to cause a denial of service (deadlock) because exit may be waiting to park a SQPOLL thread, but concu… | |
| CVE-2021-4095 | medium | — | 5.5 | — | A NULL pointer dereference was found in the Linux kernel's KVM when dirty ring logging is enabled without an active vCPU context. An unprivileged local attacker on the host may use this flaw to cause… | |
| CVE-2021-26931 | medium | — | 5.5 | — | An issue was discovered in the Linux kernel 2.6.39 through 5.10.16, as used in Xen. Block, net, and SCSI backends consider certain errors a plain bug, deliberately causing a kernel crash. For errors … | |
| CVE-2021-28878 | medium | — | 5.5 | — | In the standard library in Rust before 1.52.0, the Zip implementation calls __iterator_get_unchecked() more than once for the same index (under certain conditions) when next_back() and next() are use… | |
| CVE-2021-28038 | medium | — | 5.5 | — | An issue was discovered in the Linux kernel through 5.11.3, as used with Xen PV. A certain part of the netback driver lacks necessary treatment of errors such as failed memory allocations (as a resul… | |
| CVE-2021-44542 | medium | — | 5.5 | — | A memory leak vulnerability was found in Privoxy when handling errors. | |
| CVE-2021-3618 | medium | — | 5.5 | — | ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certifica… | |
| CVE-2021-28211 | medium | — | 5.5 | — | Moderate: edk2 security update | |
| CVE-2021-3421 | medium | — | 5.5 | — | A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cau… | |
| CVE-2021-31162 | medium | — | 5.5 | — | In the standard library in Rust before 1.52.0, a double free can occur in the Vec::from_iter function if freeing the element panics. | |
| CVE-2021-3962 | medium | — | 5.5 | — | A flaw was found in ImageMagick where it did not properly sanitize certain input before using it to invoke convert processes. This flaw allows an attacker to create a specially crafted image that lea… | |
| CVE-2021-3610 | medium | — | 5.5 | — | A heap-based buffer overflow vulnerability was found in ImageMagick in versions prior to 7.0.11-14 in ReadTIFFImage() in coders/tiff.c. This issue is due to an incorrect setting of the pixel array si… | |
| CVE-2021-36222 | medium | — | 5.5 | — | ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.4 and 1.19.x before 1.19.2 allows remote attackers to cause a NULL pointer dereference … | |
| CVE-2021-30499 | medium | — | 5.5 | — | A flaw was found in libcaca. A buffer overflow of export.c in function export_troff might lead to memory corruption and other potential consequences. | |
| CVE-2021-38166 | medium | — | 5.5 | — | In kernel/bpf/hashtab.c in the Linux kernel through 5.13.8, there is an integer overflow and out-of-bounds write when many elements are placed in a single bucket. NOTE: exploitation might be impracti… | |
| CVE-2021-3847 | medium | — | 5.5 | — | An unauthorized access to the execution of the setuid file with capabilities flaw in the Linux kernel OverlayFS subsystem was found in the way user copying a capable file from a nosuid mount into ano… | |
| CVE-2021-3624 | medium | — | 5.5 | — | There is an integer overflow vulnerability in dcraw. When the victim runs dcraw with a maliciously crafted X3F input image, arbitrary code may be executed in the victim's system. | |
| CVE-2021-27400 | medium | — | 5.5 | — | certificate verification bypass in vault | |
| CVE-2021-31924 | medium | — | 5.5 | — | Yubico pam-u2f before 1.1.1 has a logic issue that, depending on the pam-u2f configuration and the application used, could lead to a local PIN bypass. This issue does not allow user presence (touch) … | |
| CVE-2021-3760 | medium | — | 5.5 | — | A flaw was found in the Linux kernel. A use-after-free vulnerability in the NFC stack can lead to a threat to confidentiality, integrity, and system availability. | |
| CVE-2021-3410 | medium | — | 5.5 | — | A flaw was found in libcaca v0.99.beta19. A buffer overflow issue in caca_resize function in libcaca/caca/canvas.c may lead to local execution of arbitrary code in the user context. | |
| CVE-2021-29264 | medium | — | 5.5 | — | An issue was discovered in the Linux kernel through 5.11.10. drivers/net/ethernet/freescale/gianfar.c in the Freescale Gianfar Ethernet driver allows attackers to cause a system crash because a negat… | |
| CVE-2021-26948 | medium | — | 5.5 | — | Null pointer dereference in the htmldoc v1.9.11 and before may allow attackers to execute arbitrary code and cause a denial of service via a crafted html file. | |
| CVE-2021-28041 | medium | — | 5.5 | — | ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an … | |
| CVE-2021-20277 | medium | — | 5.5 | — | A flaw was found in Samba's libldb. Multiple, consecutive leading spaces in an LDAP attribute can lead to an out-of-bounds memory write, leading to a crash of the LDAP server process handling the req… | |
| CVE-2021-33364 | medium | — | 5.5 | — | Memory leak in the def_parent_box_new function in MP4Box in GPAC 1.0.1 allows attackers to read memory via a crafted file. | |
| CVE-2021-31262 | medium | — | 5.5 | — | The AV1_DuplicateConfig function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command. | |
| CVE-2021-21898 | medium | — | 5.5 | — | A code execution vulnerability exists in the dwgCompressor::decompress18() functionality of LibreCad libdxfrw 2.2.0-rc2-19-ge02f3580. A specially-crafted .dwg file can lead to an out-of-bounds write.… | |
| CVE-2021-33361 | medium | — | 5.5 | — | Memory leak in the afra_box_read function in MP4Box in GPAC 1.0.1 allows attackers to read memory via a crafted file. | |
| CVE-2021-42326 | medium | — | 5.5 | — | Redmine before 4.1.5 and 4.2.x before 4.2.3 may disclose the names of users on activity views due to an insufficient access filter. | |
| CVE-2021-34528 | medium | — | 5.5 | — | multiple issues in code | |
| CVE-2021-35058 | medium | — | 5.5 | — | multiple issues in hyperkitty | |
| CVE-2021-30027 | medium | — | 5.5 | — | md_analyze_line in md4c.c in md4c 0.4.7 allows attackers to trigger use of uninitialized memory, and cause a denial of service via a malformed Markdown document. | |
| CVE-2021-28899 | medium | — | 5.5 | — | multiple issues in live-media | |
| CVE-2021-20245 | medium | — | 5.5 | — | A flaw was found in ImageMagick in coders/webp.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. The hi… | |
| CVE-2021-42386 | medium | — | 5.5 | — | A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function | |
| CVE-2021-3657 | medium | — | 5.5 | — | A flaw was found in mbsync versions prior to 1.4.4. Due to inadequate handling of extremely large (>=2GiB) IMAP literals, malicious or compromised IMAP servers, and hypothetically even external email… | |
| CVE-2021-43398 | medium | — | 5.5 | — | private key recovery in crypto++ | |
| CVE-2021-42381 | medium | — | 5.5 | — | A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function | |
| CVE-2021-40812 | medium | — | 5.5 | — | The GD Graphics Library (aka LibGD) through 2.3.2 has an out-of-bounds read because of the lack of certain gdGetBuf and gdPutBuf return value checks. | |
| CVE-2021-23992 | medium | — | 5.5 | — | Thunderbird did not check if the user ID associated with an OpenPGP key has a valid self signature. An attacker may create a crafted version of an OpenPGP key, by either replacing the original user I… | |
| CVE-2021-29950 | medium | — | 5.5 | — | Thunderbird unprotects a secret OpenPGP key prior to using it for a decryption, signing or key import task. If the task runs into a failure, the secret key may remain in memory in its unprotected sta… | |
| CVE-2021-33844 | medium | — | 5.5 | — | A floating point exception (divide-by-zero) issue was discovered in SoX in functon startread() of wav.c file. An attacker with a crafted wav file, could cause an application to crash. | |
| CVE-2021-23172 | medium | — | 5.5 | — | A vulnerability was found in SoX, where a heap-buffer-overflow occurs in function startread() in hcom.c file. The vulnerability is exploitable with a crafted hcomn file, that could cause an applicati… | |
| CVE-2021-29951 | medium | — | 5.5 | — | The Mozilla Maintenance Service granted SERVICE_START access to BUILTIN|Users which, in a domain network, grants normal remote users access to start or stop the service. This could be used to prevent… | |
| CVE-2021-4156 | medium | — | 5.5 | — | Moderate: libsndfile security update | |
| CVE-2021-3532 | medium | — | 5.5 | — | information disclosure in ansible | |
| CVE-2021-23180 | medium | — | 5.5 | — | A flaw was found in htmldoc in v1.9.12 and before. Null pointer dereference in file_extension(),in file.c may lead to execute arbitrary code and denial of service. | |
| CVE-2021-28879 | medium | — | 5.5 | — | In the standard library in Rust before 1.52.0, the Zip implementation can report an incorrect size due to an integer overflow. This bug can lead to a buffer overflow when a consumed Zip iterator is u… | |
| CVE-2021-20246 | medium | — | 5.5 | — | A flaw was found in ImageMagick in MagickCore/resample.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero… |