CVEs from 2022
Total
5,370
critical
critical 88
high
high 1,219
medium
medium 945
low
low 24
% Critical
1.6%
% with KEV
2.4%
% with exploit
3.3%
Top vendors
Top products
- jdk 116
- jre 109
- openjdk 100
- zulu 82
- graalvm 74
- cloud_secure_agent 35
- oncommand_insight 34
- cloud_insights_acquisition_unit 34
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-37865 | unknown | — | — | 4y ago | Apache Ivy does not verify target path when extracting the archive | |||
| CVE-2022-39387 | unknown | — | — | 4y ago | XWiki OIDC Authenticator vulnerable to bypassing OpenID login by providing a custom provider | |||
| CVE-2022-32287 | unknown | — | — | 4y ago | Apache UIMA Path Traversal vulnerability | |||
| CVE-2022-43670 | unknown | — | — | 4y ago | Apache Sling App CMS vulnerable to Cross-site Scripting | |||
| CVE-2022-31777 | unknown | — | — | 4y ago | Apache Spark vulnerable to Log Injection | |||
| CVE-2022-34662 | unknown | — | — | 4y ago | Apache DolphinScheduler vulnerable to Path Traversal | |||
| CVE-2022-31692 | unknown | — | — | 4y ago | Spring Security authorization rules can be bypassed via forward or include dispatcher types | |||
| CVE-2022-31690 | unknown | — | — | 4y ago | spring-security-oauth2-client vulnerable to Privilege Escalation | |||
| CVE-2022-42252 | unknown | — | — | 4y ago | If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default f… | |||
| CVE-2022-26884 | unknown | — | — | 4y ago | Apache DolphinScheduler vulnerable to Path Traversal | |||
| CVE-2022-43766 | unknown | — | — | 4y ago | Apache IoTDB subject to ReDOS with Java 8 | |||
| CVE-2022-39944 | unknown | — | — | 4y ago | Apache Linkis subject to Remote Code Execution via deserialization | |||
| CVE-2022-42468 | unknown | — | — | 4y ago | Apache Flume vulnerable to remote code execution via deserialization of unsafe providerURL | |||
| CVE-2022-41704 | unknown | — | — | 4y ago | Apache XML Graphics Batik vulnerable to code execution via SVG. | |||
| CVE-2022-42890 | unknown | — | — | 4y ago | Untrusted code execution in Apache XML Graphics Batik | |||
| CVE-2022-34870 | unknown | — | — | 4y ago | Apache Geode vulnerable to Cross-Site Scripting | |||
| CVE-2022-40084 | unknown | — | — | 4y ago | OpenCRX vulnerable to password enumeration via error messages in password reset | |||
| CVE-2022-39259 | unknown | — | — | 4y ago | Jadx-gui vulnerable to swing HTML Denial of Service (DoS) attack | |||
| CVE-2022-31684 | unknown | — | — | 4y ago | Invalid HTTP requests in Reactor Netty HTTP Server may reveal access tokens | |||
| CVE-2022-43407 | unknown | — | — | 4y ago | CSRF protection for any URL can be bypassed in Jenkins Pipeline: Input Step Plugin | |||
| CVE-2022-43433 | unknown | — | — | 4y ago | Content-Security-Policy protection for user content disabled by Jenkins ScreenRecorder Plugin | |||
| CVE-2022-43429 | unknown | — | — | 4y ago | Jenkins Compuware Topaz for Total Test Plugin vulnerable to Protection Mechanism Failure | |||
| CVE-2022-43424 | unknown | — | — | 4y ago | Agent-to-controller security bypass vulnerability in Jenkins Compuware Xpediter Code Coverage Plugin | |||
| CVE-2022-43413 | unknown | — | — | 4y ago | Jenkins Job Import Plugin allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins | |||
| CVE-2022-43411 | unknown | — | — | 4y ago | Non-constant time webhook token comparison in Jenkins GitLab Plugin | |||
| CVE-2022-43412 | unknown | — | — | 4y ago | Non-constant time webhook token comparison in Jenkins Generic Webhook Trigger Plugin | |||
| CVE-2022-43431 | unknown | — | — | 4y ago | Jenkins Compuware Strobe Measurement Plugin Missing Authorization vulnerability | |||
| CVE-2022-43421 | unknown | — | — | 4y ago | Jenkins Tuleap Git Branch Source Plugin allows unauthenticated attackers to trigger Tuleap projects whose configured repo matches attacker-specified value | |||
| CVE-2022-43425 | unknown | — | — | 4y ago | Stored XSS vulnerability in Jenkins Custom Checkbox Parameter Plugin | |||
| CVE-2022-43428 | unknown | — | — | 4y ago | Agent-to-controller security bypass vulnerabilities in Jenkins Compuware Topaz for Total Test Plugin | |||
| CVE-2022-43414 | unknown | — | — | 4y ago | Jenkins NUnit Plugin vulnerable to Protection Mechanism Failure | |||
| CVE-2022-43423 | unknown | — | — | 4y ago | Agent-to-controller security bypass vulnerability in Jenkins BMC Compuware Source Code Download for Endevor, PDS, and ISPW Plugin | |||
| CVE-2022-43409 | unknown | — | — | 4y ago | Stored XSS vulnerability in Jenkins Pipeline: Supporting APIs Plugin | |||
| CVE-2022-43432 | unknown | — | — | 4y ago | Content-Security-Policy protection for user content disabled by Jenkins XFramium Builder Plugin | |||
| CVE-2022-43403 | unknown | — | — | 4y ago | Jenkins Script Security Plugin sandbox bypass vulnerability | |||
| CVE-2022-43401 | unknown | — | — | 4y ago | Sandbox bypass vulnerabilities in Jenkins Script Security Plugin and in Pipeline: Groovy Plugin | |||
| CVE-2022-43404 | unknown | — | — | 4y ago | Sandbox bypass vulnerabilities in Jenkins Script Security Plugin and in Pipeline: Groovy Plugin | |||
| CVE-2022-43402 | unknown | — | — | 4y ago | Jenkins Pipeline: Groovy Plugin allows sandbox protection bypass and arbitrary code execution | |||
| CVE-2022-43405 | unknown | — | — | 4y ago | Sandbox bypass vulnerability in Jenkins Pipeline: Groovy Libraries Plugin and Pipeline: Deprecated Groovy Libraries Plugin | |||
| CVE-2022-43406 | unknown | — | — | 4y ago | Sandbox bypass vulnerability in Jenkins Pipeline: Deprecated Groovy Libraries Plugin | |||
| CVE-2022-43415 | unknown | — | — | 4y ago | XXE vulnerability in Jenkins REPO Plugin | |||
| CVE-2022-43418 | unknown | — | — | 4y ago | CSRF vulnerability in Jenkins Katalon Plugin allows capturing credentials | |||
| CVE-2022-43430 | unknown | — | — | 4y ago | XXE vulnerability in Jenkins Compuware Topaz for Total Test Plugin | |||
| CVE-2022-43408 | unknown | — | — | 4y ago | Jenkins Pipeline: Stage View Plugin allows CSRF protection bypass of any target URL in Jenkins | |||
| CVE-2022-43410 | unknown | — | — | 4y ago | Webhook endpoint discloses job names to unauthorized users in Jenkins Mercurial Plugin | |||
| CVE-2022-43435 | unknown | — | — | 4y ago | Content-Security-Policy protection for user content can be disabled in Jenkins 360 FireLine Plugin | |||
| CVE-2022-43416 | unknown | — | — | 4y ago | Jenkins Katalon Plugin vulnerable to Protection Mechanism Failure | |||
| CVE-2022-43427 | unknown | — | — | 4y ago | Jenkins Compuware Topaz for Total Test Plugin allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins | |||
| CVE-2022-43420 | unknown | — | — | 4y ago | Stored XSS vulnerability in Jenkins Contrast Continuous Application Security Plugin | |||
| CVE-2022-43434 | unknown | — | — | 4y ago | Content-Security-Policy protection for user content disabled by Jenkins NeuVector Vulnerability Scanner Plugin | |||
| CVE-2022-43417 | unknown | — | — | 4y ago | Missing permission checks in Jenkins Katalon Plugin allow capturing credentials | |||
| CVE-2022-43426 | unknown | — | — | 4y ago | AWS secrets displayed without masking by Jenkins S3 Explorer Plugin | |||
| CVE-2022-43419 | unknown | — | — | 4y ago | API keys stored in plain text by Jenkins Katalon Plugin | |||
| CVE-2022-43422 | unknown | — | — | 4y ago | Agent-to-controller security bypass vulnerability in Jenkins Compuware Topaz Utilities Plugin | |||
| CVE-2022-42115 | unknown | — | — | 4y ago | Liferay Portal Vulnerable to XSS in the Object Module | |||
| CVE-2022-42117 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Vulnerable to XSS in the Frontend Taglib Module | |||
| CVE-2022-42116 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Vulnerable to XSS in the CKEditor Integration with the Frontend Editor Module | |||
| CVE-2022-42114 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Vulnerable to XSS via the Role Module | |||
| CVE-2022-42113 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Vulnerable to XSS via the Document Library Module | |||
| CVE-2022-42112 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Vulnerable to XSS via the Portal Search Module | |||
| CVE-2022-39198 | unknown | — | — | 4y ago | Hessian Lite for Apache Dubbo deserialization vulnerability | |||
| CVE-2022-42466 | unknown | — | — | 4y ago | Apache Isis Cross-site Scripting vulnerability | |||
| CVE-2022-42467 | unknown | — | — | 4y ago | Apache Isis webconsole module may directly query the database in prototype mode | |||
| CVE-2022-39312 | unknown | — | — | 4y ago | MySQL JDBC deserialization vulnerability | |||
| CVE-2022-42969 | unknown | — | — | 4y ago | Withdrawn Advisory: ReDoS in py library when used with subversion | |||
| CVE-2022-41828 | unknown | — | — | 4y ago | com.amazon.redshift:redshift-jdbc42 vulnerable to remote command execution | |||
| CVE-2022-41404 | unknown | — | — | 4y ago | org.ini4j allows attackers to cause a Denial of Service (DoS) | |||
| CVE-2022-40664 | unknown | — | — | 4y ago | Apache Shiro Authentication Bypass vulnerability | |||
| CVE-2022-41414 | unknown | — | — | 4y ago | Liferay Portal Insecure Default Configuration in auth.login.prompt.enabled | |||
| CVE-2022-41853 | unknown | — | — | 4y ago | HyperSQL DataBase vulnerable to remote code execution when processing untrusted input | |||
| CVE-2022-3171 | unknown | — | — | 4y ago | protobuf-java has a potential Denial of Service issue | |||
| CVE-2022-39248 | unknown | — | — | 4y ago | matrix-android-sdk2 vulnerable to Olm/Megolm protocol confusion | |||
| CVE-2022-39246 | unknown | — | — | 4y ago | matrix-android-sdk2 vulnerable to impersonation via forwarded Megolm sessions | |||
| CVE-2022-39243 | unknown | — | — | 4y ago | NuProcess vulnerable to command-line injection through insertion of NUL character(s) | |||
| CVE-2022-40929 | unknown | — | — | 4y ago | XXL-JOB contains a Command execution vulnerability in background tasks | |||
| CVE-2022-39261 | unknown | — | — | 4y ago | Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a us… | |||
| CVE-2022-3290 | unknown | — | — | 4y ago | rdiffweb's unlimited username field length can lead to DoS | |||
| CVE-2022-33681 | unknown | — | — | 4y ago | Apache Pulsar Java Client vulnerable to Improper Certificate Validation | |||
| CVE-2022-33682 | unknown | — | — | 4y ago | Apache Pulsar Broker, Proxy, and WebSocket Proxy vulnerable to Improper Certificate Validation | |||
| CVE-2022-33683 | unknown | — | — | 4y ago | Apache Pulsar Brokers and Proxies vulnerable to Improper Certificate Validation | |||
| CVE-2022-26112 | unknown | — | — | 4y ago | Apache Pinot has Groovy Function support enabled by default | |||
| CVE-2022-36944 | unknown | — | — | 4y ago | Scala subject to file deletion, code execution due to Java deserialization chain with LazyList object deserialization | |||
| CVE-2022-24280 | unknown | — | — | 4y ago | Proxy component of Apache Pulsar subject to abuse as Denial of Service endpoint | |||
| CVE-2022-23463 | unknown | — | — | 4y ago | Nepxion Discovery vulnerable to SpEL Injection leading to Remote Code Execution | |||
| CVE-2022-23464 | unknown | — | — | 4y ago | Nepxion Discovery vulnerable to potential Information Disclosure due to Server-Side Request Forgery | |||
| CVE-2022-36025 | unknown | — | — | 4y ago | Besu VM vulnerable to gas allocation error in CALL operations | |||
| CVE-2022-2256 | unknown | — | — | 4y ago | Keycloak vulnerable to Stored Cross site Scripting (XSS) when loading default roles | |||
| CVE-2022-2668 | unknown | — | — | 4y ago | Keycloak SAML javascript protocol mapper: Uploading of scripts through admin console | |||
| CVE-2022-28980 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Vulnerable to XSS via the filter_ Prefix | |||
| CVE-2022-28978 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Vulnerable to XSS in the Site Module | |||
| CVE-2022-28981 | unknown | — | — | 4y ago | Liferay Portal Path Traversal Vulnerability via the Hypermedia REST APIs Module | |||
| CVE-2022-28982 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Vulnerable to XSS via Tag Name | |||
| CVE-2022-40705 | unknown | — | — | 4y ago | Apache SOAP's RPCRouterServlet allows reading of arbitrary files over HTTP | |||
| CVE-2022-28977 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP HtmlUtil.escapeRedirect Can Be Circumvented | |||
| CVE-2022-39975 | unknown | — | — | 4y ago | Liferay Portal Missing Authorization vulnerability | |||
| CVE-2022-28979 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Vulnerable to XSS in the Portal Search Module | |||
| CVE-2022-38512 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Fails to Check Permissions in Translation Module | |||
| CVE-2022-38648 | unknown | — | — | 4y ago | Apache Batik vulnerable to Server-Side Request Forgery | |||
| CVE-2022-40146 | unknown | — | — | 4y ago | Apache Batik vulnerable to Server-Side Request Forgery | |||
| CVE-2022-38398 | unknown | — | — | 4y ago | Apache Batik Server-Side Request Forgery |