VIR Vulnerability Intelligence Relay

CVEs from 2022

5,370 normalized CVEs published or assigned in this year.

Total
5,370
critical
critical 88
high
high 1,219
medium
medium 945
low
low 24
% Critical
1.6%
% with KEV
2.4%
% with exploit
3.3%

Top vendors

Top products

  • jdk 116
  • jre 109
  • openjdk 100
  • zulu 82
  • graalvm 74
  • cloud_secure_agent 35
  • oncommand_insight 34
  • cloud_insights_acquisition_unit 34

Top packages

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Flags OS Vendor Published Description
CVE-2022-41247 unknown 4y ago Jenkins BigPanda Notifier Plugin stores BigPanda API key unencrypted
CVE-2022-41244 unknown 4y ago Missing hostname validation in Jenkins View26 Test-Reporting Plugin
CVE-2022-41242 unknown 4y ago Jenkins extreme-feedback Plugin vulnerable to Missing Authorization
CVE-2022-41229 unknown 4y ago Jenkins NS-ND Integration Performance Publisher Plugin vulnerable to Cross-site Scripting
CVE-2022-41224 unknown 4y ago Jenkins vulnerable to stored cross site scripting in the I:helpIcon component
CVE-2022-41246 unknown 4y ago CSRF vulnerability and mM
CVE-2022-41233 unknown 4y ago Jenkins Rundeck Plugin Missing Authorization vulnerability
CVE-2022-41238 unknown 4y ago Lack of authentication mechanism in Jenkins DotCi Plugin webhook
CVE-2022-41226 unknown 4y ago Jenkins Compuware Common Configuration Plugin vulnerable to Improper Restriction of XML External Entity Reference
CVE-2022-41236 unknown 4y ago CSRF vulnerability in Jenkins Security Inspector plugin
CVE-2022-41231 unknown 4y ago Path traversal in Jenkins build-publisher Plugin
CVE-2022-41234 unknown 4y ago Missing webhook endpoint authorization in Jenkins Rundeck Plugin
CVE-2022-41245 unknown 4y ago CSRF vulnerability in Jenkins Worksoft Execution Manager Plugin allows capturing credentials
CVE-2022-41230 unknown 4y ago Missing permission check in Jenkins build-publisher Plugin
CVE-2022-41237 unknown 4y ago RCE vulnerability in Jenkins DotCi Plugin
CVE-2022-41239 unknown 4y ago Stored XSS vulnerability in Jenkins DotCi Plugin
CVE-2022-41232 unknown 4y ago Jenkins build-publisher plugin vulnerable to cross-site request forgery
CVE-2022-41235 unknown 4y ago Jenkins WildFly Deployer Plugin vulnerable to path traversal
CVE-2022-41225 unknown 4y ago Jenkins Anchore Container Image Scanner Plugin vulnerable to cross site scripting
CVE-2022-41227 unknown 4y ago Jenkins NS-ND Integration Performance Publisher Plugin vulnerable to Cross-Site Request Forgery
CVE-2022-41240 unknown 4y ago Stored XSS vulnerability in Jenkins Walti plugin
CVE-2022-41241 unknown 4y ago Jenkins RQM Plugin vulnerable to Improper Restriction of XML External Entity Reference
CVE-2022-41243 unknown 4y ago Jenkins SmallTest Plugin missing hostname validation
CVE-2022-41228 unknown 4y ago Jenkins NS-ND Integration Performance Publisher Plugin vulnerable to Missing Authorization
CVE-2022-41251 unknown 4y ago Jenkins Apprenda Plugin has Missing Authorization vulnerability
CVE-2022-41255 unknown 4y ago API token stored in plain text by Jenkins CONS3RT Plugin
CVE-2022-41248 unknown 4y ago Jenkins BigPanda Notifier Plugin Missing Password Field Masking
CVE-2022-41254 unknown 4y ago Missing permission checks in Jenkins CONS3RT Plugin allow capturing credentials
CVE-2022-41249 unknown 4y ago Jenkins SCM HttpClient Plugin vulnerable to Cross-Site Request Forgery
CVE-2022-41252 unknown 4y ago Missing permission checks in Jenkins CONS3RT Plugin allow enumerating credentials IDs
CVE-2022-41253 unknown 4y ago CSRF vulnerability in Jenkins CONS3RT Plugin allow capturing credentials
CVE-2022-41250 unknown 4y ago Missing permission check in Jenkins SCM HttpClient Plugin allow capturing credentials
CVE-2022-31679 unknown 4y ago Spring Data REST can expose hidden entity attributes
CVE-2022-34917 unknown 4y ago Apache Kafka vulnerability can lead to brokers hitting OutOfMemoryException, causing Denial of Service
CVE-2022-40955 unknown 4y ago Apache InLong vulnerable to Deserialization of Untrusted Data
CVE-2022-31166 unknown 4y ago XWiki.WebHome vulnerable to Improper Privilege Management in XWiki resolving groups
CVE-2022-31167 unknown 4y ago XWiki Platform Security Parent POM vulnerable to overwriting of security rules of a page with a final page having the same reference
CVE-2022-25873 unknown 4y ago Vuetify Cross-site Scripting vulnerability
CVE-2022-40150 unknown 4y ago Jettison memory exhaustion
CVE-2022-40149 unknown 4y ago Jettison parser crash by stackoverflow
CVE-2022-40152 unknown 4y ago Denial of Service due to parser crash
CVE-2022-36095 unknown 4y ago XWiki Cross-Site Request Forgery (CSRF) for actions on tags
CVE-2022-36109 unknown 4y ago Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has di…
CVE-2022-36090 unknown 4y ago XWiki Platform Improper Authorization check for inactive users
CVE-2022-36091 unknown 4y ago XWiki Platform Web Templates vulnerable to Missing Authorization, Exposure of Private Personal Information to Unauthorized Actor
CVE-2022-36096 unknown 4y ago XWiki Platform vulnerable to Cross-site Scripting in the deleted attachments list
CVE-2022-36097 unknown 4y ago XWiki Platform Attachment UI vulnerable to cross-site scripting in the move attachment form
CVE-2022-36098 unknown 4y ago XWiki Platform Mentions UI vulnerable to Cross-site Scripting
CVE-2022-36099 unknown 4y ago XWiki Platform Wiki UI Main Wiki Eval Injection vulnerability
CVE-2022-36100 unknown 4y ago XWiki Platform Applications Tag and XWiki Platform Tag UI vulnerable to Eval Injection
CVE-2022-36113 unknown 4y ago Cargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code in the ~/.cargo folder on disk, making it available to the Rust projects it…
CVE-2022-36114 unknown 4y ago Cargo is a package manager for the rust programming language. It was discovered that Cargo did not limit the amount of data extracted from compressed archives. An attacker could upload to an alternat…
CVE-2022-36092 unknown 4y ago XWiki Platform Old Core vulnerable to Authentication Bypass Using the Login Action
CVE-2022-36093 unknown 4y ago XWiki Platform Web Templates vulnerable to Unauthorized User Registration Through the Distribution Wizard
CVE-2022-36094 unknown 4y ago XWiki Platform Web Parent POM vulnerable to XSS in the attachment history
CVE-2022-25897 unknown 4y ago Eclipse Milo vulnerable to Resource Exhaustion (Denial of Service)
CVE-2022-37724 unknown 4y ago Project Wonder WebObjects vulnerable to Arbitrary HTTP Header Injection and Cross-site Scripting
CVE-2022-1278 unknown 4y ago WildFly vulnerable to Insecure Default Initialization of Resource
CVE-2022-40634 unknown 4y ago CrafterCMS Crafter Studio Improperly Controls Dynamically-Managed Code Resources
CVE-2022-40635 unknown 4y ago CrafterCMS OS Command Injection vulnerability
CVE-2022-37734 unknown 4y ago graphql-java vulnerable to Denial of Service via GraphQL query that consumes CPU resources
CVE-2022-37767 unknown 4y ago Pebble Templates protection mechanism bypass can lead to arbitrary code execution
CVE-2022-39135 unknown 4y ago Apache Calcite before 1.32.0 vulnerable to potential XML External Entity (XXE) attack
CVE-2022-26049 unknown 4y ago Goomph before 3.37.2 allows malicious zip file to write contents to arbitrary locations
CVE-2022-25914 unknown 4y ago com.google.cloud.tools:jib-core vulnerable to Remote Code Execution (RCE)
CVE-2022-28220 unknown 4y ago Apache James vulnerable to buffering attack
CVE-2022-36663 unknown 4y ago Gluu Oxauth before v4.4.1 vulnerable to Server-Side Request Forgery attacks via a crafted request_uri parameter
CVE-2022-38370 unknown 4y ago Apache IoTDB grafana-connector contains an interface without authorization
CVE-2022-38369 unknown 4y ago Apache IoTDB Session Fixation vulnerability
CVE-2022-37435 unknown 4y ago Apache ShenYu Admin has insecure permissions
CVE-2022-36033 unknown 4y ago jsoup may not sanitize code injection XSS attempts if SafeList.preserveRelativeLinks is enabled
CVE-2022-37022 unknown 4y ago Apache Geode versions deserialization of untrusted datawhen using JMX over RMI on Java 11
CVE-2022-37023 unknown 4y ago Apache Geode versions prior to 1.15.0 are vulnerable to a deserialization of untrusted data
CVE-2022-37021 unknown 4y ago Apache Geode vulnerable to Deserialization of Untrusted Data
CVE-2022-2466 unknown 4y ago Quarkus does not terminate HTTP requests header context
CVE-2022-0225 unknown 4y ago Keycloak XSS via use of malicious payload as group name when creating new group from admin console
CVE-2022-0084 unknown 4y ago XNIO `notifyReadClosed` method logging message to unexpected end
CVE-2022-36527 unknown 4y ago Jfinal Cross-site Scripting vulnerability
CVE-2022-35278 unknown 4y ago HTML Injection in ActiveMQ Artemis Web Console
CVE-2022-37223 unknown 4y ago SQL injection in jflyfox jfinal
CVE-2022-37199 unknown 4y ago SQL injection in jflyfox jfinal
CVE-2022-38665 unknown 4y ago RabbitMQ password stored in plain text by Jenkins CollabNet Plugins Plugin
CVE-2022-38663 unknown 4y ago Improper masking of credentials Jenkins in Git Plugin
CVE-2022-38664 unknown 4y ago Cross-site Scripting in Jenkins Job Configuration History Plugin
CVE-2022-34916 unknown 4y ago Remote code execution in Apache Flume
CVE-2022-36157 unknown 4y ago Improper Privilege Management in com.xuxueli:xxl-job
CVE-2022-37422 unknown 4y ago Path Traversal in Payara
CVE-2022-36007 unknown 4y ago Venice vulnerable to Partial Path Traversal issue within the functions `load-file` and `load-resource`
CVE-2022-35948 unknown 4y ago undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically…
CVE-2022-35949 unknown 4y ago undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option…
CVE-2022-38216 unknown 4y ago Mapbox is vulnerable to Integer Overflow
CVE-2022-36599 unknown 4y ago Mingsoft MCMS SQL injection vulnerability in /mdiy/model/delete URI via models List
CVE-2022-36272 unknown 4y ago Mingsoft MCMS SQL injection vulnerability in /mdiy/page/verify URI via fieldName parameter
CVE-2022-2390 unknown 4y ago Google Play Services SDK leads to apps having incorrectly set mutability flag
CVE-2022-38179 unknown 4y ago JetBrains Ktor before 2.1.0 was vulnerable to a Reflect File Download attack
CVE-2022-38180 unknown 4y ago JetBrain Ktor before 2.1.0 vulnerable to selection of wrong authentication provider
CVE-2022-35980 unknown 4y ago OpenSearch vulnerable to Improper Authorization of Index Containing Sensitive Information
CVE-2022-37423 unknown 4y ago Neo4j Graph apoc plugins Partial Path Traversal Vulnerability
CVE-2022-35697 unknown 4y ago AEM WCM Core Components CVG Image vulnerable to Reflected Cross-site Scripting
CVE-2022-31195 unknown 4y ago DSpace ItemImportService API Vulnerable to Path Traversal in Simple Archive Format Package Import