CVEs from 2022
Total
5,358
critical
critical 88
high
high 1,219
medium
medium 945
low
low 24
% Critical
1.6%
% with KEV
2.4%
% with exploit
3.3%
Top vendors
Top products
- jdk 116
- jre 109
- openjdk 100
- zulu 82
- graalvm 74
- cloud_secure_agent 35
- oncommand_insight 34
- cloud_insights_acquisition_unit 34
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-42110 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Vulnerable to XSS via the Announcements Module | |||
| CVE-2022-45378 | unknown | — | — | 4y ago | Apache SOAP contains unauthenticated RPCRouterServlet | |||
| CVE-2022-45136 | unknown | — | — | 4y ago | Apache Jena vulnerable to Deserialization of Untrusted Data | |||
| CVE-2022-41854 | unknown | — | — | 4y ago | Snakeyaml vulnerable to Stack overflow leading to denial of service | |||
| CVE-2022-3952 | unknown | — | — | 4y ago | ManyDesigns Portofino subject to creation of insecure temporary file | |||
| CVE-2022-36022 | unknown | — | — | 4y ago | Use of unclaimed s3 bucket in tests and examples | |||
| CVE-2022-42964 | unknown | — | — | 4y ago | An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the pymatgen PyPI package, when an attacker is able to supply arbitrary input to the GaussianInput.from_string method | |||
| CVE-2022-44244 | unknown | — | — | 4y ago | Lin CMS vulnerable to Improper Authentication | |||
| CVE-2022-45129 | unknown | — | — | 4y ago | Payara, when deployed to the root context, allows attackers to visit META-INF and WEB-INF | |||
| CVE-2022-39368 | unknown | — | — | 4y ago | Failing DTLS handshakes may cause throttling to block processing of records | |||
| CVE-2022-37866 | unknown | — | — | 4y ago | Apache Ivy vulnerable to path traversal | |||
| CVE-2022-37865 | unknown | — | — | 4y ago | Apache Ivy does not verify target path when extracting the archive | |||
| CVE-2022-39387 | unknown | — | — | 4y ago | XWiki OIDC Authenticator vulnerable to bypassing OpenID login by providing a custom provider | |||
| CVE-2022-32287 | unknown | — | — | 4y ago | Apache UIMA Path Traversal vulnerability | |||
| CVE-2022-43670 | unknown | — | — | 4y ago | Apache Sling App CMS vulnerable to Cross-site Scripting | |||
| CVE-2022-34662 | unknown | — | — | 4y ago | Apache DolphinScheduler vulnerable to Path Traversal | |||
| CVE-2022-31777 | unknown | — | — | 4y ago | Apache Spark vulnerable to Log Injection | |||
| CVE-2022-31690 | unknown | — | — | 4y ago | spring-security-oauth2-client vulnerable to Privilege Escalation | |||
| CVE-2022-31692 | unknown | — | — | 4y ago | Spring Security authorization rules can be bypassed via forward or include dispatcher types | |||
| CVE-2022-42252 | unknown | — | — | 4y ago | If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default f… | |||
| CVE-2022-26884 | unknown | — | — | 4y ago | Apache DolphinScheduler vulnerable to Path Traversal | |||
| CVE-2022-43766 | unknown | — | — | 4y ago | Apache IoTDB subject to ReDOS with Java 8 | |||
| CVE-2022-42468 | unknown | — | — | 4y ago | Apache Flume vulnerable to remote code execution via deserialization of unsafe providerURL | |||
| CVE-2022-39944 | unknown | — | — | 4y ago | Apache Linkis subject to Remote Code Execution via deserialization | |||
| CVE-2022-42890 | unknown | — | — | 4y ago | Untrusted code execution in Apache XML Graphics Batik | |||
| CVE-2022-41704 | unknown | — | — | 4y ago | Apache XML Graphics Batik vulnerable to code execution via SVG. | |||
| CVE-2022-34870 | unknown | — | — | 4y ago | Apache Geode vulnerable to Cross-Site Scripting | |||
| CVE-2022-40084 | unknown | — | — | 4y ago | OpenCRX vulnerable to password enumeration via error messages in password reset | |||
| CVE-2022-39259 | unknown | — | — | 4y ago | Jadx-gui vulnerable to swing HTML Denial of Service (DoS) attack | |||
| CVE-2022-31684 | unknown | — | — | 4y ago | Invalid HTTP requests in Reactor Netty HTTP Server may reveal access tokens | |||
| CVE-2022-43429 | unknown | — | — | 4y ago | Jenkins Compuware Topaz for Total Test Plugin vulnerable to Protection Mechanism Failure | |||
| CVE-2022-43431 | unknown | — | — | 4y ago | Jenkins Compuware Strobe Measurement Plugin Missing Authorization vulnerability | |||
| CVE-2022-43433 | unknown | — | — | 4y ago | Content-Security-Policy protection for user content disabled by Jenkins ScreenRecorder Plugin | |||
| CVE-2022-43414 | unknown | — | — | 4y ago | Jenkins NUnit Plugin vulnerable to Protection Mechanism Failure | |||
| CVE-2022-43425 | unknown | — | — | 4y ago | Stored XSS vulnerability in Jenkins Custom Checkbox Parameter Plugin | |||
| CVE-2022-43423 | unknown | — | — | 4y ago | Agent-to-controller security bypass vulnerability in Jenkins BMC Compuware Source Code Download for Endevor, PDS, and ISPW Plugin | |||
| CVE-2022-43407 | unknown | — | — | 4y ago | CSRF protection for any URL can be bypassed in Jenkins Pipeline: Input Step Plugin | |||
| CVE-2022-43409 | unknown | — | — | 4y ago | Stored XSS vulnerability in Jenkins Pipeline: Supporting APIs Plugin | |||
| CVE-2022-43411 | unknown | — | — | 4y ago | Non-constant time webhook token comparison in Jenkins GitLab Plugin | |||
| CVE-2022-43428 | unknown | — | — | 4y ago | Agent-to-controller security bypass vulnerabilities in Jenkins Compuware Topaz for Total Test Plugin | |||
| CVE-2022-43432 | unknown | — | — | 4y ago | Content-Security-Policy protection for user content disabled by Jenkins XFramium Builder Plugin | |||
| CVE-2022-43421 | unknown | — | — | 4y ago | Jenkins Tuleap Git Branch Source Plugin allows unauthenticated attackers to trigger Tuleap projects whose configured repo matches attacker-specified value | |||
| CVE-2022-43424 | unknown | — | — | 4y ago | Agent-to-controller security bypass vulnerability in Jenkins Compuware Xpediter Code Coverage Plugin | |||
| CVE-2022-43412 | unknown | — | — | 4y ago | Non-constant time webhook token comparison in Jenkins Generic Webhook Trigger Plugin | |||
| CVE-2022-43413 | unknown | — | — | 4y ago | Jenkins Job Import Plugin allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins | |||
| CVE-2022-43404 | unknown | — | — | 4y ago | Sandbox bypass vulnerabilities in Jenkins Script Security Plugin and in Pipeline: Groovy Plugin | |||
| CVE-2022-43403 | unknown | — | — | 4y ago | Jenkins Script Security Plugin sandbox bypass vulnerability | |||
| CVE-2022-43406 | unknown | — | — | 4y ago | Sandbox bypass vulnerability in Jenkins Pipeline: Deprecated Groovy Libraries Plugin | |||
| CVE-2022-43401 | unknown | — | — | 4y ago | Sandbox bypass vulnerabilities in Jenkins Script Security Plugin and in Pipeline: Groovy Plugin | |||
| CVE-2022-43402 | unknown | — | — | 4y ago | Jenkins Pipeline: Groovy Plugin allows sandbox protection bypass and arbitrary code execution | |||
| CVE-2022-43405 | unknown | — | — | 4y ago | Sandbox bypass vulnerability in Jenkins Pipeline: Groovy Libraries Plugin and Pipeline: Deprecated Groovy Libraries Plugin | |||
| CVE-2022-43435 | unknown | — | — | 4y ago | Content-Security-Policy protection for user content can be disabled in Jenkins 360 FireLine Plugin | |||
| CVE-2022-43417 | unknown | — | — | 4y ago | Missing permission checks in Jenkins Katalon Plugin allow capturing credentials | |||
| CVE-2022-43430 | unknown | — | — | 4y ago | XXE vulnerability in Jenkins Compuware Topaz for Total Test Plugin | |||
| CVE-2022-43416 | unknown | — | — | 4y ago | Jenkins Katalon Plugin vulnerable to Protection Mechanism Failure | |||
| CVE-2022-43434 | unknown | — | — | 4y ago | Content-Security-Policy protection for user content disabled by Jenkins NeuVector Vulnerability Scanner Plugin | |||
| CVE-2022-43420 | unknown | — | — | 4y ago | Stored XSS vulnerability in Jenkins Contrast Continuous Application Security Plugin | |||
| CVE-2022-43408 | unknown | — | — | 4y ago | Jenkins Pipeline: Stage View Plugin allows CSRF protection bypass of any target URL in Jenkins | |||
| CVE-2022-43410 | unknown | — | — | 4y ago | Webhook endpoint discloses job names to unauthorized users in Jenkins Mercurial Plugin | |||
| CVE-2022-43427 | unknown | — | — | 4y ago | Jenkins Compuware Topaz for Total Test Plugin allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins | |||
| CVE-2022-43415 | unknown | — | — | 4y ago | XXE vulnerability in Jenkins REPO Plugin | |||
| CVE-2022-43418 | unknown | — | — | 4y ago | CSRF vulnerability in Jenkins Katalon Plugin allows capturing credentials | |||
| CVE-2022-43419 | unknown | — | — | 4y ago | API keys stored in plain text by Jenkins Katalon Plugin | |||
| CVE-2022-43426 | unknown | — | — | 4y ago | AWS secrets displayed without masking by Jenkins S3 Explorer Plugin | |||
| CVE-2022-43422 | unknown | — | — | 4y ago | Agent-to-controller security bypass vulnerability in Jenkins Compuware Topaz Utilities Plugin | |||
| CVE-2022-42115 | unknown | — | — | 4y ago | Liferay Portal Vulnerable to XSS in the Object Module | |||
| CVE-2022-42114 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Vulnerable to XSS via the Role Module | |||
| CVE-2022-42116 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Vulnerable to XSS in the CKEditor Integration with the Frontend Editor Module | |||
| CVE-2022-42117 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Vulnerable to XSS in the Frontend Taglib Module | |||
| CVE-2022-42112 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Vulnerable to XSS via the Portal Search Module | |||
| CVE-2022-42113 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Vulnerable to XSS via the Document Library Module | |||
| CVE-2022-39198 | unknown | — | — | 4y ago | Hessian Lite for Apache Dubbo deserialization vulnerability | |||
| CVE-2022-42467 | unknown | — | — | 4y ago | Apache Isis webconsole module may directly query the database in prototype mode | |||
| CVE-2022-42466 | unknown | — | — | 4y ago | Apache Isis Cross-site Scripting vulnerability | |||
| CVE-2022-39312 | unknown | — | — | 4y ago | MySQL JDBC deserialization vulnerability | |||
| CVE-2022-42969 | unknown | — | — | 4y ago | Withdrawn Advisory: ReDoS in py library when used with subversion | |||
| CVE-2022-41828 | unknown | — | — | 4y ago | com.amazon.redshift:redshift-jdbc42 vulnerable to remote command execution | |||
| CVE-2022-41404 | unknown | — | — | 4y ago | org.ini4j allows attackers to cause a Denial of Service (DoS) | |||
| CVE-2022-40664 | unknown | — | — | 4y ago | Apache Shiro Authentication Bypass vulnerability | |||
| CVE-2022-41414 | unknown | — | — | 4y ago | Liferay Portal Insecure Default Configuration in auth.login.prompt.enabled | |||
| CVE-2022-39237 | unknown | — | — | 4y ago | syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the `github.com/sylabs/sif/v2/pkg/integrity` package did not verify that the hash algorithm(s) us… | |||
| CVE-2022-41853 | unknown | — | — | 4y ago | HyperSQL DataBase vulnerable to remote code execution when processing untrusted input | |||
| CVE-2022-3171 | unknown | — | — | 4y ago | protobuf-java has a potential Denial of Service issue | |||
| CVE-2022-39248 | unknown | — | — | 4y ago | matrix-android-sdk2 vulnerable to Olm/Megolm protocol confusion | |||
| CVE-2022-39246 | unknown | — | — | 4y ago | matrix-android-sdk2 vulnerable to impersonation via forwarded Megolm sessions | |||
| CVE-2022-39243 | unknown | — | — | 4y ago | NuProcess vulnerable to command-line injection through insertion of NUL character(s) | |||
| CVE-2022-40929 | unknown | — | — | 4y ago | XXL-JOB contains a Command execution vulnerability in background tasks | |||
| CVE-2022-39261 | unknown | — | — | 4y ago | Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a us… | |||
| CVE-2022-3290 | unknown | — | — | 4y ago | rdiffweb's unlimited username field length can lead to DoS | |||
| CVE-2022-33683 | unknown | — | — | 4y ago | Apache Pulsar Brokers and Proxies vulnerable to Improper Certificate Validation | |||
| CVE-2022-33681 | unknown | — | — | 4y ago | Apache Pulsar Java Client vulnerable to Improper Certificate Validation | |||
| CVE-2022-33682 | unknown | — | — | 4y ago | Apache Pulsar Broker, Proxy, and WebSocket Proxy vulnerable to Improper Certificate Validation | |||
| CVE-2022-26112 | unknown | — | — | 4y ago | Apache Pinot has Groovy Function support enabled by default | |||
| CVE-2022-36944 | unknown | — | — | 4y ago | Scala subject to file deletion, code execution due to Java deserialization chain with LazyList object deserialization | |||
| CVE-2022-24280 | unknown | — | — | 4y ago | Proxy component of Apache Pulsar subject to abuse as Denial of Service endpoint | |||
| CVE-2022-23463 | unknown | — | — | 4y ago | Nepxion Discovery vulnerable to SpEL Injection leading to Remote Code Execution | |||
| CVE-2022-23464 | unknown | — | — | 4y ago | Nepxion Discovery vulnerable to potential Information Disclosure due to Server-Side Request Forgery | |||
| CVE-2022-36025 | unknown | — | — | 4y ago | Besu VM vulnerable to gas allocation error in CALL operations | |||
| CVE-2022-2256 | unknown | — | — | 4y ago | Keycloak vulnerable to Stored Cross site Scripting (XSS) when loading default roles | |||
| CVE-2022-2668 | unknown | — | — | 4y ago | Keycloak SAML javascript protocol mapper: Uploading of scripts through admin console |