VIR Vulnerability Intelligence Relay

CVEs from 2022

5,367 normalized CVEs published or assigned in this year.

Total
5,367
critical
critical 88
high
high 1,220
medium
medium 938
low
low 24
% Critical
1.6%
% with KEV
2.4%
% with exploit
3.3%

Top vendors

Top products

  • jdk 116
  • jre 109
  • openjdk 100
  • zulu 82
  • graalvm 74
  • cloud_secure_agent 35
  • oncommand_insight 34
  • cloud_insights_acquisition_unit 34

Top packages

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Flags OS Vendor Published Description
CVE-2022-38370 unknown 4y ago Apache IoTDB grafana-connector contains an interface without authorization
CVE-2022-37435 unknown 4y ago Apache ShenYu Admin has insecure permissions
CVE-2022-36033 unknown 4y ago jsoup may not sanitize code injection XSS attempts if SafeList.preserveRelativeLinks is enabled
CVE-2022-37023 unknown 4y ago Apache Geode versions prior to 1.15.0 are vulnerable to a deserialization of untrusted data
CVE-2022-37022 unknown 4y ago Apache Geode versions deserialization of untrusted datawhen using JMX over RMI on Java 11
CVE-2022-37021 unknown 4y ago Apache Geode vulnerable to Deserialization of Untrusted Data
CVE-2022-2466 unknown 4y ago Quarkus does not terminate HTTP requests header context
CVE-2022-0084 unknown 4y ago XNIO `notifyReadClosed` method logging message to unexpected end
CVE-2022-0225 unknown 4y ago Keycloak XSS via use of malicious payload as group name when creating new group from admin console
CVE-2022-36527 unknown 4y ago Jfinal Cross-site Scripting vulnerability
CVE-2022-37223 unknown 4y ago SQL injection in jflyfox jfinal
CVE-2022-37199 unknown 4y ago SQL injection in jflyfox jfinal
CVE-2022-35278 unknown 4y ago HTML Injection in ActiveMQ Artemis Web Console
CVE-2022-38663 unknown 4y ago Improper masking of credentials Jenkins in Git Plugin
CVE-2022-38664 unknown 4y ago Cross-site Scripting in Jenkins Job Configuration History Plugin
CVE-2022-38665 unknown 4y ago RabbitMQ password stored in plain text by Jenkins CollabNet Plugins Plugin
CVE-2022-34916 unknown 4y ago Remote code execution in Apache Flume
CVE-2022-36157 unknown 4y ago Improper Privilege Management in com.xuxueli:xxl-job
CVE-2022-37422 unknown 4y ago Path Traversal in Payara
CVE-2022-36007 unknown 4y ago Venice vulnerable to Partial Path Traversal issue within the functions `load-file` and `load-resource`
CVE-2022-35948 unknown 4y ago undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically…
CVE-2022-35949 unknown 4y ago undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option…
CVE-2022-38216 unknown 4y ago Mapbox is vulnerable to Integer Overflow
CVE-2022-36599 unknown 4y ago Mingsoft MCMS SQL injection vulnerability in /mdiy/model/delete URI via models List
CVE-2022-36272 unknown 4y ago Mingsoft MCMS SQL injection vulnerability in /mdiy/page/verify URI via fieldName parameter
CVE-2022-2390 unknown 4y ago Google Play Services SDK leads to apps having incorrectly set mutability flag
CVE-2022-38180 unknown 4y ago JetBrain Ktor before 2.1.0 vulnerable to selection of wrong authentication provider
CVE-2022-38179 unknown 4y ago JetBrains Ktor before 2.1.0 was vulnerable to a Reflect File Download attack
CVE-2022-35980 unknown 4y ago OpenSearch vulnerable to Improper Authorization of Index Containing Sensitive Information
CVE-2022-37423 unknown 4y ago Neo4j Graph apoc plugins Partial Path Traversal Vulnerability
CVE-2022-35697 unknown 4y ago AEM WCM Core Components CVG Image vulnerable to Reflected Cross-site Scripting
CVE-2022-31195 unknown 4y ago DSpace ItemImportService API Vulnerable to Path Traversal in Simple Archive Format Package Import
CVE-2022-31194 unknown 4y ago JSPUI vulnerable to path traversal in submission (resumable) upload
CVE-2022-31193 unknown 4y ago JSPUI's controlled vocabulary feature vulnerable to Open Redirect before v6.4 and v5.11
CVE-2022-31192 unknown 4y ago JSPUI Possible Cross Site Scripting in "Request a Copy" Feature
CVE-2022-31191 unknown 4y ago JSPUI spellcheck and autocomplete tools vulnerable to Cross Site Scripting
CVE-2022-31190 unknown 4y ago XMLUI's metadata of withdrawn Items is exposed to anonymous users
CVE-2022-31189 unknown 4y ago JSPUI's "Internal System Error" page prints exceptions and stack traces without sanitization
CVE-2022-2053 unknown 4y ago Undertow vulnerable to Dos via Large AJP request
CVE-2022-34158 unknown 4y ago Apache JSPWiki CSRF due to crafted invocation on the Image plugin
CVE-2022-27166 unknown 4y ago Apache JSPWiki XSS due to crafted request on XHRHtml2Markup.jsp
CVE-2022-28731 unknown 4y ago Apache JSPWiki CSRF due to crafted request on UserPreferences.jsp
CVE-2022-28732 unknown 4y ago Apache JSPWiki XSS due to crafted request in WeblogPlugin
CVE-2022-28730 unknown 4y ago Apache JSPWiki XSS due to incomplete patch for CVE-2021-40369
CVE-2022-25168 unknown 4y ago Apache Hadoop argument injection vulnerability
CVE-2022-37394 unknown 4y ago An issue was discovered in OpenStack Nova before 23.2.2, 24.x before 24.1.2, and 25.x before 25.0.2. By creating a neutron port with the direct vnic_type, creating an instance bound to that port, and…
CVE-2022-25867 unknown 4y ago Socket.IO-client Java before 2.0.1 vulnerable to NULL Pointer Dereference
CVE-2022-2576 unknown 4y ago Eclipse Californium denial of service (DoS) via Datagram Transport Layer Security (DTLS) handshake on parameter mismatch
CVE-2022-31183 unknown 4y ago fs2-io skips mTLS client verification
CVE-2022-36364 unknown 4y ago Apache Calcite Avatica JDBC driver arbitrary code execution
CVE-2022-36886 unknown 4y ago External Monitor Job Type Plugin does not require POST requests for an HTTP endpoint
CVE-2022-36888 unknown 4y ago Jenkins HashiCorp Vault Plugin does not perform permission checks in several HTTP endpoints that perform Vault connection tests
CVE-2022-36881 unknown 4y ago Jenkins Git client plugin 3.11.0 does not perform SSH host key verification
CVE-2022-36885 unknown 4y ago Jenkins GitHub plugin uses weak webhook signature function
CVE-2022-36882 unknown 4y ago Lack of authentication mechanism in Jenkins Git Plugin webhook
CVE-2022-36887 unknown 4y ago Jenkins Job Configuration History Plugin does not require POST requests for several HTTP endpoints
CVE-2022-36883 unknown 4y ago Lack of authentication mechanism in Jenkins Git Plugin webhook
CVE-2022-36884 unknown 4y ago Lack of authentication mechanism in Jenkins Git Plugin webhook
CVE-2022-36921 unknown 4y ago Missing permission check in Coverity Plugin allows capturing credentials
CVE-2022-36899 unknown 4y ago Agent-to-controller security bypass in Jenkins BMC Compuware ISPW Operations plugin
CVE-2022-36893 unknown 4y ago Jenkins rpmsign-plugin does not perform a permission check in a method implementing form validation
CVE-2022-36917 unknown 4y ago Jenkins Google Cloud Backup Plugin allows attackers with Overall/Read permission to request a manual backup.
CVE-2022-36901 unknown 4y ago Jenkins HTTP Request Plugin stores HTTP Request passwords unencrypted
CVE-2022-36910 unknown 4y ago Lucene-Search Plugin does not perform permission checks in several HTTP endpoints
CVE-2022-36909 unknown 4y ago Missing permission check in Jenkins OpenShift Deployer Plugin
CVE-2022-36895 unknown 4y ago Jenkins Compuware Topaz Utilities Plugin is missing authorization
CVE-2022-36907 unknown 4y ago Missing permission check in Jenkins OpenShift Deployer Plugin
CVE-2022-36890 unknown 4y ago Jenkins Deployer Framework Plugin vulnerable to Path Traversal
CVE-2022-36908 unknown 4y ago CSRF vulnerability in Jenkins OpenShift Deployer Plugin
CVE-2022-36919 unknown 4y ago Jenkins Coverity Plugin allows attackers with Overall/Read permission to enumerate credentials IDs
CVE-2022-36892 unknown 4y ago Jenkins rhnpush-plugin does not perform a permission check in a method implementing form validation
CVE-2022-36922 unknown 4y ago Jenkins Lucene-Search Plugin vulnerable to reflected (XSS) cross-site scripting
CVE-2022-36900 unknown 4y ago Jenkins Compuware zAdviser API Plugin vulnerable to protection mechanism failure
CVE-2022-36905 unknown 4y ago Stored XSS vulnerability in Jenkins Maven Metadata Plugin for Jenkins CI server plugin
CVE-2022-36903 unknown 4y ago Jenkins Repository Connector Plugin allows attackers with Overall/Read permission to enumerate credentials IDs
CVE-2022-36915 unknown 4y ago Jenkins Android Signing Plugin allows attackers to check whether attacker-specified file patterns match workspace contents
CVE-2022-36896 unknown 4y ago Jenkins Compuware Source Code Download is missing authorization
CVE-2022-36904 unknown 4y ago Jenkins Repository Connector Plugin does not perform a permission check in a method implementing form validation
CVE-2022-36912 unknown 4y ago Missing permission checks in Jenkins openstack-heat Plugin
CVE-2022-36916 unknown 4y ago CSRF vulnerability in Jenkins Google Cloud Backup Plugin
CVE-2022-36914 unknown 4y ago Jenkins Files Found Trigger Plugin allows attackers to check for existence of attacker-specified file path on Jenkins controller file system
CVE-2022-36894 unknown 4y ago Arbitrary file write vulnerability in Jenkins CLIF Performance Testing plugin
CVE-2022-36898 unknown 4y ago Jenkins Compuware ISPW Operations Plugin does not perform permission checks in several HTTP endpoints
CVE-2022-36902 unknown 4y ago Stored XSS vulnerability in Jenkins Dynamic Extended Choice Parameter plugin
CVE-2022-36920 unknown 4y ago Jenkins Coverity Plugin vulnerable to cross-site request forgery (CSRF)
CVE-2022-36897 unknown 4y ago Jenkins Compuware Xpediter Code Coverage Plugin Missing Authorization
CVE-2022-36889 unknown 4y ago Jenkins Deployer Framework Plugin does not restrict application path of applications when configuring a deployment
CVE-2022-36906 unknown 4y ago CSRF vulnerability in Jenkins OpenShift Deployer Plugin
CVE-2022-36918 unknown 4y ago Jenkins Buckminster Plugin does not perform a permission check in a method implementing form validation
CVE-2022-36913 unknown 4y ago Jenkins Openstack Heat Plugin does not perform permission checks in methods implementing form validation
CVE-2022-36911 unknown 4y ago CSRF vulnerability in Jenkins openstack-heat Plugin
CVE-2022-36891 unknown 4y ago Jenkins Deployer Framework Plugin allows attackers with Item/Read permission to read deployment logs
CVE-2022-34112 unknown 4y ago Dataease before 1.11.2 access control issue allows attackers to arbitrarily uninstall plugin
CVE-2022-34113 unknown 4y ago Dataease before 1.11.2 allows arbitrary code execution via crafter plugin
CVE-2022-34114 unknown 4y ago SQL Injection found in Dataease
CVE-2022-34115 unknown 4y ago Dataease v1.11.1 SQL Injection via parameter dataSourceId
CVE-2022-32430 unknown 4y ago Hardcoded JWT Token in Lin CMS Spring Boot
CVE-2022-35912 unknown 4y ago Grails framework Remote Code Execution via Data Binding
CVE-2022-31151 unknown 4y ago Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users us…
CVE-2022-31150 unknown 4y ago undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0…