CVEs from 2022
Total
5,358
critical
critical 88
high
high 1,219
medium
medium 945
low
low 24
% Critical
1.6%
% with KEV
2.4%
% with exploit
3.3%
Top vendors
Top products
- jdk 116
- jre 109
- openjdk 100
- zulu 82
- graalvm 74
- cloud_secure_agent 35
- oncommand_insight 34
- cloud_insights_acquisition_unit 34
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-48716 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: ASoC: codecs: wcd938x: fix incorrect used of portid Mixer controls have the channel id in mixer->reg, which is not same as port i… | |||
| CVE-2022-48718 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: drm: mxsfb: Fix NULL pointer dereference mxsfb should not ever dereference the NULL pointer which drm_atomic_get_new_bridge_state… | |||
| CVE-2022-48717 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: ASoC: max9759: fix underflow in speaker_gain_control_put() Check for negative values of "priv->gain" to prevent an out of bounds … | |||
| CVE-2022-1485 | unknown | — | — | — | Use after free in File System API in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2022-48720 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: net: macsec: Fix offload support for NETDEV_UNREGISTER event Current macsec netdev notify handler handles NETDEV_UNREGISTER event… | |||
| CVE-2022-48721 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: net/smc: Forward wakeup to smc socket waitqueue after fallback When we replace TCP with SMC and a fallback occurs, there may be s… | |||
| CVE-2022-1487 | unknown | — | — | — | Use after free in Ozone in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to potentially exploit heap corruption via running a Wayland test. | |||
| CVE-2022-48722 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: net: ieee802154: ca8210: Stop leaking skb's Upon error the ieee802154_xmit_complete() helper is not called. Only ieee802154_wake_… | |||
| CVE-2022-1490 | unknown | — | — | — | Use after free in Browser Switcher in Google Chrome prior to 101.0.4951.41 allowed a remote attacker who convinced a user to engage in specific user interaction to potentially exploit heap corruption… | |||
| CVE-2022-1496 | unknown | — | — | — | Use after free in File Manager in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to potentially exploit heap corruption via specific and direct user interaction. | |||
| CVE-2022-1491 | unknown | — | — | — | Use after free in Bookmarks in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to potentially exploit heap corruption via specific and direct user interaction. | |||
| CVE-2022-1492 | unknown | — | — | — | Insufficient data validation in Blink Editing in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to inject arbitrary scripts or HTML via a crafted HTML page. | |||
| CVE-2022-4991 | unknown | — | — | 16h ago | Tychon includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory that may be controllable by an unprivileged user on Windows. Tychon contains a privileged service that use… | |||
| CVE-2022-49957 | unknown | — | — | 1y ago | In the Linux kernel, the following vulnerability has been resolved: kcm: fix strp_init() order and cleanup strp_init() is called just a few lines above this csk->sk_user_data check, it also initial… | |||
| CVE-2022-41137 | unknown | — | — | 2y ago | Apache Hive: Deserialization of untrusted data when fetching partitions from the Metastore | |||
| CVE-2022-23553 | unknown | — | — | 2y ago | Alpine allows URL access filter bypass | |||
| CVE-2022-23554 | unknown | — | — | 2y ago | Alpine allows Authentication Filter bypass | |||
| CVE-2022-48833 | unknown | — | — | 2y ago | In the Linux kernel, the following vulnerability has been resolved: btrfs: skip reserved bytes warning on unmount after log cleanup failure After the recent changes made by commit c2e39305299f01 ("… | |||
| CVE-2022-29946 | unknown | — | — | 2y ago | NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 could allow a remote attacker to bypass security restrictions, caused by the failure to enforce negative user permissions in one sc… | |||
| CVE-2022-30636 | unknown | — | — | 2y ago | httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a di… | |||
| CVE-2022-47894 | unknown | — | — | 2y ago | Apache Zeppelin SAP: connecting to a malicious SAP server allowed it to perform XXE | |||
| CVE-2022-4963 | unknown | — | — | 2y ago | SQL injection in Folio Spring Module Core | |||
| CVE-2022-34321 | unknown | — | — | 2y ago | Apache Pulsar: Improper Authentication for Pulsar Proxy Statistics Endpoint | |||
| CVE-2022-45320 | unknown | — | — | 2y ago | Privilege escalation in Liferay Portal | |||
| CVE-2022-3328 | unknown | — | — | 2y ago | Race condition in snap-confine's must_mkdir_and_open_with_perms() | |||
| CVE-2022-45135 | unknown | — | — | 3y ago | Apache Cocoon SQL Injection vulnerability | |||
| CVE-2022-2232 | unknown | — | — | 3y ago | Keycloak vulnerable to LDAP Injection on UsernameForm Login | |||
| CVE-2022-41678 | unknown | — | — | 3y ago | Apache ActiveMQ Deserialization of Untrusted Data vulnerability | |||
| CVE-2022-46337 | unknown | — | — | 3y ago | Apache Derby: LDAP injection vulnerability in authenticator | |||
| CVE-2022-4244 | unknown | — | — | 3y ago | plexus-codehaus vulnerable to directory traversal | |||
| CVE-2022-4245 | unknown | — | — | 3y ago | codehaus-plexus vulnerable to XML injection | |||
| CVE-2022-28357 | unknown | — | — | 3y ago | NATS nats-server 2.2.0 through 2.7.4 allows directory traversal because of an unintended path to a management action from a management account. | |||
| CVE-2022-1415 | unknown | — | — | 3y ago | Drools Core Deserialization of Untrusted Data vulnerability | |||
| CVE-2022-44729 | unknown | — | — | 3y ago | Apache XML Graphics Batik Server-Side Request Forgery vulnerability | |||
| CVE-2022-46751 | unknown | — | — | 3y ago | Apache Ivy External Entity Reference vulnerability | |||
| CVE-2022-41401 | unknown | — | — | 3y ago | OpenRefine Server-Side Request Forgery vulnerability | |||
| CVE-2022-40896 | unknown | — | — | 3y ago | A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer. | |||
| CVE-2022-45855 | unknown | — | — | 3y ago | Apache Ambari Expression Language Injection vulnerability | |||
| CVE-2022-42009 | unknown | — | — | 3y ago | Apache Ambari Expression Language Injection vulnerability | |||
| CVE-2022-45048 | unknown | — | — | 3y ago | Apache Ranger code execution vulnerability in policy expressions | |||
| CVE-2022-46365 | unknown | — | — | 3y ago | Apache StreamPark Improper Input Validation vulnerability | |||
| CVE-2022-45802 | unknown | — | — | 3y ago | Apache StreamPark Path Traversal vulnerability | |||
| CVE-2022-24697 | unknown | — | — | 3y ago | Apache Kylin vulnerable to remote code execution | |||
| CVE-2022-4361 | unknown | — | — | 3y ago | Keycloak vulnerable to cross-site scripting when validating URI-schemes on SAML and OIDC | |||
| CVE-2022-46907 | unknown | — | — | 3y ago | Apache JSPWiki vulnerable to cross-site scripting on several plugins | |||
| CVE-2022-47937 | unknown | — | — | 3y ago | Apache Sling Commons JSON bundle vulnerable to Improper Input Validation | |||
| CVE-2022-45801 | unknown | — | — | 3y ago | Apache StreamPark LDAP Injection vulnerability | |||
| CVE-2022-45064 | unknown | — | — | 3y ago | Apache Sling Engine vulnerable to cross-site scripting (XSS) that can lead to privilege escalation | |||
| CVE-2022-41918 | unknown | — | — | 3y ago | OpenSearch has issue with fine-grained access control of indices backing data streams | |||
| CVE-2022-3277 | unknown | — | — | 3y ago | An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates re… | |||
| CVE-2022-1274 | unknown | — | — | 3y ago | HTML Injection in Keycloak Admin REST API | |||
| CVE-2022-4137 | unknown | — | — | 3y ago | Keycloak Cross-site Scripting on OpenID connect login service | |||
| CVE-2022-1438 | unknown | — | — | 3y ago | Keycloak vulnerable to Cross-site Scripting | |||
| CVE-2022-39228 | unknown | — | — | 3y ago | vantage6 vulnerable to Observable Response Discrepancy | |||
| CVE-2022-4492 | unknown | — | — | 3y ago | Undertow client not checking server identity presented by server certificate in https connections | |||
| CVE-2022-42735 | unknown | — | — | 3y ago | Privilege escalation in Apache ShenYu | |||
| CVE-2022-4903 | unknown | — | — | 3y ago | CodenameOne Pending Intent vulnerability | |||
| CVE-2022-24894 | unknown | — | — | 3y ago | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony HTTP cache system, acts as a reverse proxy: It caches entire responses (including headers… | |||
| CVE-2022-24895 | unknown | — | — | 3y ago | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the… | |||
| CVE-2022-44645 | unknown | — | — | 3y ago | Apache Linkis contains Deserialization of Untrusted Data | |||
| CVE-2022-44644 | unknown | — | — | 3y ago | Apache Linkis vulnerable to Exposure of Sensitive Information | |||
| CVE-2022-2712 | unknown | — | — | 3y ago | Path Traversal In Eclipse GlassFish | |||
| CVE-2022-47951 | unknown | — | — | 3y ago | An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0… | |||
| CVE-2022-25894 | unknown | — | — | 3y ago | Remote Code Execution in com.bstek.uflo:uflo-core | |||
| CVE-2022-47042 | unknown | — | — | 3y ago | Arbitrary file write in net.mingsoft:ms-mcms | |||
| CVE-2022-47105 | unknown | — | — | 3y ago | Jeecg-boot is vulnerable to SQL injection | |||
| CVE-2022-47950 | unknown | — | — | 3y ago | An issue was discovered in OpenStack Swift before 2.28.1, 2.29.x before 2.29.2, and 2.30.0. By supplying crafted XML files, an authenticated user may coerce the S3 API into returning arbitrary file c… | |||
| CVE-2022-25901 | unknown | — | — | 3y ago | cookiejar Regular Expression Denial of Service via Cookie.parse function | |||
| CVE-2022-23532 | unknown | — | — | 3y ago | org.neo4j.procedure:apoc Path Traversal Vulnerability | |||
| CVE-2022-3143 | unknown | — | — | 3y ago | Wildfly-elytron possibly vulnerable to timing attacks via use of unsafe comparator | |||
| CVE-2022-24913 | unknown | — | — | 3y ago | Java Merge-sort Insecure Temporary File vulnerability | |||
| CVE-2022-46176 | unknown | — | — | 3y ago | Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could explo… | |||
| CVE-2022-46769 | unknown | — | — | 3y ago | Apache Sling App CMS vulnerable to reflected Cross-site Scripting | |||
| CVE-2022-45935 | unknown | — | — | 3y ago | Apache James server allows an attacker with local access to access private user data in transit | |||
| CVE-2022-45787 | unknown | — | — | 3y ago | Apache James MIME4J vulnerable to information disclosure to local users | |||
| CVE-2022-45875 | unknown | — | — | 4y ago | Apache DolphinScheduler vulnerable to Improper Input Validation | |||
| CVE-2022-38723 | unknown | — | — | 4y ago | Gravitee API Management contains Path Traversal | |||
| CVE-2022-45143 | unknown | — | — | 4y ago | The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from use… | |||
| CVE-2022-47551 | unknown | — | — | 4y ago | Apiman has potential permissions bypass | |||
| CVE-2022-46178 | unknown | — | — | 4y ago | Path Traversal In MeterSpere leads to upload file to any path | |||
| CVE-2022-40151 | unknown | — | — | 4y ago | XStream can cause a Denial of Service by injecting deeply nested objects raising a stack overflow | |||
| CVE-2022-44621 | unknown | — | — | 4y ago | Apache Kylin vulnerable to Command injection by Diagnosis Controller | |||
| CVE-2022-43396 | unknown | — | — | 4y ago | Apache Kylin vulnerable to Command injection by Useless configuration | |||
| CVE-2022-41966 | unknown | — | — | 4y ago | XStream can cause Denial of Service via stack overflow | |||
| CVE-2022-4772 | unknown | — | — | 4y ago | Widoco Path Traversal vulnerability | |||
| CVE-2022-4725 | unknown | — | — | 4y ago | AWS SDK is vulnerable to server-side request forgery (SSRF) | |||
| CVE-2022-36437 | unknown | — | — | 4y ago | Hazelcast connection caching | |||
| CVE-2022-45347 | unknown | — | — | 4y ago | Apache ShardingSphere-Proxy Incomplete Cleanup vulnerability | |||
| CVE-2022-4640 | unknown | — | — | 4y ago | Mingsoft MCMS Cross-site Scripting vulnerability | |||
| CVE-2022-40145 | unknown | — | — | 4y ago | Apache Karaf vulnerable to potential code injection | |||
| CVE-2022-46870 | unknown | — | — | 4y ago | Apache Zeppelin Cross-site Scripting vulnerability | |||
| CVE-2022-25940 | unknown | — | — | 4y ago | lite-server vulnerable to Denial of Service | |||
| CVE-2022-47500 | unknown | — | — | 4y ago | Apache Helix UI vulnerable to Open Redirect | |||
| CVE-2022-4565 | unknown | — | — | 4y ago | HuTool vulnerable to Uncontrolled Resource Consumption | |||
| CVE-2022-4520 | unknown | — | — | 4y ago | WSO2 carbon-registry Cross-site Scripting vulnerability | |||
| CVE-2022-4521 | unknown | — | — | 4y ago | WSO2 carbon-registry vulnerable to Cross-site Scripting | |||
| CVE-2022-32531 | unknown | — | — | 4y ago | Apache Bookkeeper vulnerable to Improper Certificate Validation | |||
| CVE-2022-4493 | unknown | — | — | 4y ago | SCIFIO vulnerable to Path Traversal | |||
| CVE-2022-34271 | unknown | — | — | 4y ago | Apache Atlas: zip path traversal in import functionality | |||
| CVE-2022-3782 | unknown | — | — | 4y ago | Keycloak vulnerable to path traversal via double URL encoding |