CVEs from 2022
Total
5,367
critical
critical 88
high
high 1,220
medium
medium 938
low
low 24
% Critical
1.6%
% with KEV
2.4%
% with exploit
3.3%
Top vendors
Top products
- jdk 116
- jre 109
- openjdk 100
- zulu 82
- graalvm 74
- cloud_secure_agent 35
- oncommand_insight 34
- cloud_insights_acquisition_unit 34
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-41137 | unknown | — | — | 2y ago | Apache Hive: Deserialization of untrusted data when fetching partitions from the Metastore | |||
| CVE-2022-23554 | unknown | — | — | 2y ago | Alpine allows Authentication Filter bypass | |||
| CVE-2022-23553 | unknown | — | — | 2y ago | Alpine allows URL access filter bypass | |||
| CVE-2022-48833 | unknown | — | — | 2y ago | In the Linux kernel, the following vulnerability has been resolved: btrfs: skip reserved bytes warning on unmount after log cleanup failure After the recent changes made by commit c2e39305299f01 ("… | |||
| CVE-2022-29946 | unknown | — | — | 2y ago | NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 could allow a remote attacker to bypass security restrictions, caused by the failure to enforce negative user permissions in one sc… | |||
| CVE-2022-30636 | unknown | — | — | 2y ago | httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a di… | |||
| CVE-2022-47894 | unknown | — | — | 2y ago | Apache Zeppelin SAP: connecting to a malicious SAP server allowed it to perform XXE | |||
| CVE-2022-4963 | unknown | — | — | 2y ago | SQL injection in Folio Spring Module Core | |||
| CVE-2022-34321 | unknown | — | — | 2y ago | Apache Pulsar: Improper Authentication for Pulsar Proxy Statistics Endpoint | |||
| CVE-2022-45320 | unknown | — | — | 2y ago | Privilege escalation in Liferay Portal | |||
| CVE-2022-3328 | unknown | — | — | 2y ago | Race condition in snap-confine's must_mkdir_and_open_with_perms() | |||
| CVE-2022-45135 | unknown | — | — | 3y ago | Apache Cocoon SQL Injection vulnerability | |||
| CVE-2022-2232 | unknown | — | — | 3y ago | Keycloak vulnerable to LDAP Injection on UsernameForm Login | |||
| CVE-2022-41678 | unknown | — | — | 3y ago | Apache ActiveMQ Deserialization of Untrusted Data vulnerability | |||
| CVE-2022-46337 | unknown | — | — | 3y ago | Apache Derby: LDAP injection vulnerability in authenticator | |||
| CVE-2022-4245 | unknown | — | — | 3y ago | codehaus-plexus vulnerable to XML injection | |||
| CVE-2022-4244 | unknown | — | — | 3y ago | plexus-codehaus vulnerable to directory traversal | |||
| CVE-2022-28357 | unknown | — | — | 3y ago | NATS nats-server 2.2.0 through 2.7.4 allows directory traversal because of an unintended path to a management action from a management account. | |||
| CVE-2022-1415 | unknown | — | — | 3y ago | Drools Core Deserialization of Untrusted Data vulnerability | |||
| CVE-2022-44729 | unknown | — | — | 3y ago | Apache XML Graphics Batik Server-Side Request Forgery vulnerability | |||
| CVE-2022-46751 | unknown | — | — | 3y ago | Apache Ivy External Entity Reference vulnerability | |||
| CVE-2022-41401 | unknown | — | — | 3y ago | OpenRefine Server-Side Request Forgery vulnerability | |||
| CVE-2022-40896 | unknown | — | — | 3y ago | A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer. | |||
| CVE-2022-45855 | unknown | — | — | 3y ago | Apache Ambari Expression Language Injection vulnerability | |||
| CVE-2022-42009 | unknown | — | — | 3y ago | Apache Ambari Expression Language Injection vulnerability | |||
| CVE-2022-45048 | unknown | — | — | 3y ago | Apache Ranger code execution vulnerability in policy expressions | |||
| CVE-2022-46365 | unknown | — | — | 3y ago | Apache StreamPark Improper Input Validation vulnerability | |||
| CVE-2022-45802 | unknown | — | — | 3y ago | Apache StreamPark Path Traversal vulnerability | |||
| CVE-2022-24697 | unknown | — | — | 3y ago | Apache Kylin vulnerable to remote code execution | |||
| CVE-2022-4361 | unknown | — | — | 3y ago | Keycloak vulnerable to cross-site scripting when validating URI-schemes on SAML and OIDC | |||
| CVE-2022-46907 | unknown | — | — | 3y ago | Apache JSPWiki vulnerable to cross-site scripting on several plugins | |||
| CVE-2022-47937 | unknown | — | — | 3y ago | Apache Sling Commons JSON bundle vulnerable to Improper Input Validation | |||
| CVE-2022-45801 | unknown | — | — | 3y ago | Apache StreamPark LDAP Injection vulnerability | |||
| CVE-2022-45064 | unknown | — | — | 3y ago | Apache Sling Engine vulnerable to cross-site scripting (XSS) that can lead to privilege escalation | |||
| CVE-2022-41918 | unknown | — | — | 3y ago | OpenSearch has issue with fine-grained access control of indices backing data streams | |||
| CVE-2022-3277 | unknown | — | — | 3y ago | An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates re… | |||
| CVE-2022-1274 | unknown | — | — | 3y ago | HTML Injection in Keycloak Admin REST API | |||
| CVE-2022-4137 | unknown | — | — | 3y ago | Keycloak Cross-site Scripting on OpenID connect login service | |||
| CVE-2022-1438 | unknown | — | — | 3y ago | Keycloak vulnerable to Cross-site Scripting | |||
| CVE-2022-39228 | unknown | — | — | 3y ago | vantage6 vulnerable to Observable Response Discrepancy | |||
| CVE-2022-4492 | unknown | — | — | 3y ago | Undertow client not checking server identity presented by server certificate in https connections | |||
| CVE-2022-42735 | unknown | — | — | 3y ago | Privilege escalation in Apache ShenYu | |||
| CVE-2022-4903 | unknown | — | — | 3y ago | CodenameOne Pending Intent vulnerability | |||
| CVE-2022-24894 | unknown | — | — | 3y ago | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony HTTP cache system, acts as a reverse proxy: It caches entire responses (including headers… | |||
| CVE-2022-24895 | unknown | — | — | 3y ago | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the… | |||
| CVE-2022-44644 | unknown | — | — | 3y ago | Apache Linkis vulnerable to Exposure of Sensitive Information | |||
| CVE-2022-44645 | unknown | — | — | 3y ago | Apache Linkis contains Deserialization of Untrusted Data | |||
| CVE-2022-2712 | unknown | — | — | 3y ago | Path Traversal In Eclipse GlassFish | |||
| CVE-2022-47951 | unknown | — | — | 3y ago | An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0… | |||
| CVE-2022-25894 | unknown | — | — | 3y ago | Remote Code Execution in com.bstek.uflo:uflo-core | |||
| CVE-2022-47042 | unknown | — | — | 3y ago | Arbitrary file write in net.mingsoft:ms-mcms | |||
| CVE-2022-47105 | unknown | — | — | 3y ago | Jeecg-boot is vulnerable to SQL injection | |||
| CVE-2022-47950 | unknown | — | — | 3y ago | An issue was discovered in OpenStack Swift before 2.28.1, 2.29.x before 2.29.2, and 2.30.0. By supplying crafted XML files, an authenticated user may coerce the S3 API into returning arbitrary file c… | |||
| CVE-2022-25901 | unknown | — | — | 3y ago | cookiejar Regular Expression Denial of Service via Cookie.parse function | |||
| CVE-2022-23532 | unknown | — | — | 3y ago | org.neo4j.procedure:apoc Path Traversal Vulnerability | |||
| CVE-2022-3143 | unknown | — | — | 3y ago | Wildfly-elytron possibly vulnerable to timing attacks via use of unsafe comparator | |||
| CVE-2022-24913 | unknown | — | — | 3y ago | Java Merge-sort Insecure Temporary File vulnerability | |||
| CVE-2022-46176 | unknown | — | — | 3y ago | Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could explo… | |||
| CVE-2022-46769 | unknown | — | — | 3y ago | Apache Sling App CMS vulnerable to reflected Cross-site Scripting | |||
| CVE-2022-45935 | unknown | — | — | 3y ago | Apache James server allows an attacker with local access to access private user data in transit | |||
| CVE-2022-45787 | unknown | — | — | 3y ago | Apache James MIME4J vulnerable to information disclosure to local users | |||
| CVE-2022-45875 | unknown | — | — | 3y ago | Apache DolphinScheduler vulnerable to Improper Input Validation | |||
| CVE-2022-38723 | unknown | — | — | 4y ago | Gravitee API Management contains Path Traversal | |||
| CVE-2022-45143 | unknown | — | — | 4y ago | The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from use… | |||
| CVE-2022-47551 | unknown | — | — | 4y ago | Apiman has potential permissions bypass | |||
| CVE-2022-46178 | unknown | — | — | 4y ago | Path Traversal In MeterSpere leads to upload file to any path | |||
| CVE-2022-40151 | unknown | — | — | 4y ago | XStream can cause a Denial of Service by injecting deeply nested objects raising a stack overflow | |||
| CVE-2022-44621 | unknown | — | — | 4y ago | Apache Kylin vulnerable to Command injection by Diagnosis Controller | |||
| CVE-2022-43396 | unknown | — | — | 4y ago | Apache Kylin vulnerable to Command injection by Useless configuration | |||
| CVE-2022-41966 | unknown | — | — | 4y ago | XStream can cause Denial of Service via stack overflow | |||
| CVE-2022-4772 | unknown | — | — | 4y ago | Widoco Path Traversal vulnerability | |||
| CVE-2022-4725 | unknown | — | — | 4y ago | AWS SDK is vulnerable to server-side request forgery (SSRF) | |||
| CVE-2022-36437 | unknown | — | — | 4y ago | Hazelcast connection caching | |||
| CVE-2022-45347 | unknown | — | — | 4y ago | Apache ShardingSphere-Proxy Incomplete Cleanup vulnerability | |||
| CVE-2022-4640 | unknown | — | — | 4y ago | Mingsoft MCMS Cross-site Scripting vulnerability | |||
| CVE-2022-40145 | unknown | — | — | 4y ago | Apache Karaf vulnerable to potential code injection | |||
| CVE-2022-46870 | unknown | — | — | 4y ago | Apache Zeppelin Cross-site Scripting vulnerability | |||
| CVE-2022-25940 | unknown | — | — | 4y ago | lite-server vulnerable to Denial of Service | |||
| CVE-2022-47500 | unknown | — | — | 4y ago | Apache Helix UI vulnerable to Open Redirect | |||
| CVE-2022-4565 | unknown | — | — | 4y ago | HuTool vulnerable to Uncontrolled Resource Consumption | |||
| CVE-2022-4520 | unknown | — | — | 4y ago | WSO2 carbon-registry Cross-site Scripting vulnerability | |||
| CVE-2022-4521 | unknown | — | — | 4y ago | WSO2 carbon-registry vulnerable to Cross-site Scripting | |||
| CVE-2022-32531 | unknown | — | — | 4y ago | Apache Bookkeeper vulnerable to Improper Certificate Validation | |||
| CVE-2022-4493 | unknown | — | — | 4y ago | SCIFIO vulnerable to Path Traversal | |||
| CVE-2022-34271 | unknown | — | — | 4y ago | Apache Atlas: zip path traversal in import functionality | |||
| CVE-2022-3782 | unknown | — | — | 4y ago | Keycloak vulnerable to path traversal via double URL encoding | |||
| CVE-2022-3916 | unknown | — | — | 4y ago | Keycloak vulnerable to session takeover with OIDC offline refreshtokens | |||
| CVE-2022-46364 | unknown | — | — | 4y ago | Apache CXF Server-Side Request Forgery vulnerability | |||
| CVE-2022-45693 | unknown | — | — | 4y ago | Jettison Out-of-bounds Write vulnerability | |||
| CVE-2022-46363 | unknown | — | — | 4y ago | Apache CXF vulnerable to Exposure of Sensitive Information | |||
| CVE-2022-45685 | unknown | — | — | 4y ago | Jettison Out-of-bounds Write vulnerability | |||
| CVE-2022-45689 | unknown | — | — | 4y ago | hutool-json vulnerable to memory exhaustion | |||
| CVE-2022-45688 | unknown | — | — | 4y ago | json stack overflow vulnerability | |||
| CVE-2022-45690 | unknown | — | — | 4y ago | hutool-json stack overflow vulnerability | |||
| CVE-2022-41915 | unknown | — | — | 4y ago | Netty vulnerable to HTTP Response splitting from assigning header value iterator | |||
| CVE-2022-41881 | unknown | — | — | 4y ago | HAProxyMessageDecoder Stack Exhaustion DoS | |||
| CVE-2022-3509 | unknown | — | — | 4y ago | Protobuf Java vulnerable to Uncontrolled Resource Consumption | |||
| CVE-2022-3510 | unknown | — | — | 4y ago | Protobuf Java vulnerable to Uncontrolled Resource Consumption | |||
| CVE-2022-46684 | unknown | — | — | 4y ago | Stored XSS vulnerability in Jenkins Checkmarx Plugin | |||
| CVE-2022-46686 | unknown | — | — | 4y ago | Jenkins Custom Build Properties Plugin vulnerable to Cross-site Scripting |