CVEs from 2022
Total
5,367
critical
critical 88
high
high 1,225
medium
medium 948
low
low 24
% Critical
1.6%
% with KEV
2.4%
% with exploit
3.3%
Top vendors
Top products
- jdk 116
- jre 109
- openjdk 100
- zulu 82
- graalvm 74
- cloud_secure_agent 35
- oncommand_insight 34
- cloud_insights_acquisition_unit 34
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-2712 | unknown | — | — | 3y ago | Path Traversal In Eclipse GlassFish | |||
| CVE-2022-47951 | unknown | — | — | 3y ago | An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0… | |||
| CVE-2022-25894 | unknown | — | — | 3y ago | Remote Code Execution in com.bstek.uflo:uflo-core | |||
| CVE-2022-47042 | unknown | — | — | 3y ago | Arbitrary file write in net.mingsoft:ms-mcms | |||
| CVE-2022-47105 | unknown | — | — | 3y ago | Jeecg-boot is vulnerable to SQL injection | |||
| CVE-2022-47950 | unknown | — | — | 3y ago | An issue was discovered in OpenStack Swift before 2.28.1, 2.29.x before 2.29.2, and 2.30.0. By supplying crafted XML files, an authenticated user may coerce the S3 API into returning arbitrary file c… | |||
| CVE-2022-25901 | unknown | — | — | 3y ago | cookiejar Regular Expression Denial of Service via Cookie.parse function | |||
| CVE-2022-23532 | unknown | — | — | 3y ago | org.neo4j.procedure:apoc Path Traversal Vulnerability | |||
| CVE-2022-3143 | unknown | — | — | 3y ago | Wildfly-elytron possibly vulnerable to timing attacks via use of unsafe comparator | |||
| CVE-2022-24913 | unknown | — | — | 3y ago | Java Merge-sort Insecure Temporary File vulnerability | |||
| CVE-2022-46176 | unknown | — | — | 3y ago | Cargo is a Rust package manager. The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could explo… | |||
| CVE-2022-46769 | unknown | — | — | 3y ago | Apache Sling App CMS vulnerable to reflected Cross-site Scripting | |||
| CVE-2022-45935 | unknown | — | — | 3y ago | Apache James server allows an attacker with local access to access private user data in transit | |||
| CVE-2022-45787 | unknown | — | — | 3y ago | Apache James MIME4J vulnerable to information disclosure to local users | |||
| CVE-2022-45875 | unknown | — | — | 4y ago | Apache DolphinScheduler vulnerable to Improper Input Validation | |||
| CVE-2022-38723 | unknown | — | — | 4y ago | Gravitee API Management contains Path Traversal | |||
| CVE-2022-45143 | unknown | — | — | 4y ago | The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from use… | |||
| CVE-2022-47551 | unknown | — | — | 4y ago | Apiman has potential permissions bypass | |||
| CVE-2022-46178 | unknown | — | — | 4y ago | Path Traversal In MeterSpere leads to upload file to any path | |||
| CVE-2022-40151 | unknown | — | — | 4y ago | XStream can cause a Denial of Service by injecting deeply nested objects raising a stack overflow | |||
| CVE-2022-43396 | unknown | — | — | 4y ago | Apache Kylin vulnerable to Command injection by Useless configuration | |||
| CVE-2022-44621 | unknown | — | — | 4y ago | Apache Kylin vulnerable to Command injection by Diagnosis Controller | |||
| CVE-2022-41966 | unknown | — | — | 4y ago | XStream can cause Denial of Service via stack overflow | |||
| CVE-2022-4772 | unknown | — | — | 4y ago | Widoco Path Traversal vulnerability | |||
| CVE-2022-4725 | unknown | — | — | 4y ago | AWS SDK is vulnerable to server-side request forgery (SSRF) | |||
| CVE-2022-36437 | unknown | — | — | 4y ago | Hazelcast connection caching | |||
| CVE-2022-45347 | unknown | — | — | 4y ago | Apache ShardingSphere-Proxy Incomplete Cleanup vulnerability | |||
| CVE-2022-4640 | unknown | — | — | 4y ago | Mingsoft MCMS Cross-site Scripting vulnerability | |||
| CVE-2022-40145 | unknown | — | — | 4y ago | Apache Karaf vulnerable to potential code injection | |||
| CVE-2022-46870 | unknown | — | — | 4y ago | Apache Zeppelin Cross-site Scripting vulnerability | |||
| CVE-2022-25940 | unknown | — | — | 4y ago | lite-server vulnerable to Denial of Service | |||
| CVE-2022-47500 | unknown | — | — | 4y ago | Apache Helix UI vulnerable to Open Redirect | |||
| CVE-2022-4565 | unknown | — | — | 4y ago | HuTool vulnerable to Uncontrolled Resource Consumption | |||
| CVE-2022-4520 | unknown | — | — | 4y ago | WSO2 carbon-registry Cross-site Scripting vulnerability | |||
| CVE-2022-4521 | unknown | — | — | 4y ago | WSO2 carbon-registry vulnerable to Cross-site Scripting | |||
| CVE-2022-32531 | unknown | — | — | 4y ago | Apache Bookkeeper vulnerable to Improper Certificate Validation | |||
| CVE-2022-4493 | unknown | — | — | 4y ago | SCIFIO vulnerable to Path Traversal | |||
| CVE-2022-34271 | unknown | — | — | 4y ago | Apache Atlas: zip path traversal in import functionality | |||
| CVE-2022-3782 | unknown | — | — | 4y ago | Keycloak vulnerable to path traversal via double URL encoding | |||
| CVE-2022-3916 | unknown | — | — | 4y ago | Keycloak vulnerable to session takeover with OIDC offline refreshtokens | |||
| CVE-2022-46364 | unknown | — | — | 4y ago | Apache CXF Server-Side Request Forgery vulnerability | |||
| CVE-2022-46363 | unknown | — | — | 4y ago | Apache CXF vulnerable to Exposure of Sensitive Information | |||
| CVE-2022-45693 | unknown | — | — | 4y ago | Jettison Out-of-bounds Write vulnerability | |||
| CVE-2022-45689 | unknown | — | — | 4y ago | hutool-json vulnerable to memory exhaustion | |||
| CVE-2022-45688 | unknown | — | — | 4y ago | json stack overflow vulnerability | |||
| CVE-2022-45690 | unknown | — | — | 4y ago | hutool-json stack overflow vulnerability | |||
| CVE-2022-45685 | unknown | — | — | 4y ago | Jettison Out-of-bounds Write vulnerability | |||
| CVE-2022-41915 | unknown | — | — | 4y ago | Netty vulnerable to HTTP Response splitting from assigning header value iterator | |||
| CVE-2022-41881 | unknown | — | — | 4y ago | HAProxyMessageDecoder Stack Exhaustion DoS | |||
| CVE-2022-3509 | unknown | — | — | 4y ago | Protobuf Java vulnerable to Uncontrolled Resource Consumption | |||
| CVE-2022-3510 | unknown | — | — | 4y ago | Protobuf Java vulnerable to Uncontrolled Resource Consumption | |||
| CVE-2022-46687 | unknown | — | — | 4y ago | Cross-site Scripting in Jenkins Spring Config Plugin | |||
| CVE-2022-46686 | unknown | — | — | 4y ago | Jenkins Custom Build Properties Plugin vulnerable to Cross-site Scripting | |||
| CVE-2022-46683 | unknown | — | — | 4y ago | Jenkins Google Login Plugin Open Redirect vulnerability | |||
| CVE-2022-46684 | unknown | — | — | 4y ago | Stored XSS vulnerability in Jenkins Checkmarx Plugin | |||
| CVE-2022-46685 | unknown | — | — | 4y ago | Jenkins Gitea Plugin vulnerable to Cleartext Transmission of Sensitive Information | |||
| CVE-2022-46682 | unknown | — | — | 4y ago | Jenkins Plot Plugin XML External Entity Reference vulnerability | |||
| CVE-2022-46688 | unknown | — | — | 4y ago | Jenkins Sonar Gerrit Plugin vulnerable to Cross-Site Request Forgery | |||
| CVE-2022-46166 | unknown | — | — | 4y ago | Spring Boot Admins integrated notifier support allows arbitrary code execution | |||
| CVE-2022-4375 | unknown | — | — | 4y ago | Mingsoft MCMS vulnerable to SQL Injection | |||
| CVE-2022-23496 | unknown | — | — | 4y ago | Yauaa vulnerable to ArrayIndexOutOfBoundsException triggered by a crafted Sec-Ch-Ua-Full-Version-List | |||
| CVE-2022-4350 | unknown | — | — | 4y ago | Mingsoft MCMS vulnerable to Cross-site Scripting | |||
| CVE-2022-4348 | unknown | — | — | 4y ago | RuoYi-Cloud Cross-site Scripting vulnerability | |||
| CVE-2022-23491 | unknown | — | — | 4y ago | Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates fro… | |||
| CVE-2022-4147 | unknown | — | — | 4y ago | Quarkus CORS filter allows simple GET and POST requests with an invalid Origin to proceed | |||
| CVE-2022-44900 | unknown | — | — | 4y ago | A directory traversal vulnerability in the SevenZipFile.extractall() function of the python library py7zr v0.20.0 and earlier allows attackers to write arbitrary files via extracting a crafted 7z fil… | |||
| CVE-2022-45046 | unknown | — | — | 4y ago | camel-ldap component allows LDAP Injection when using the filter option | |||
| CVE-2022-43484 | unknown | — | — | 4y ago | TERASOLUNA Server Framework vulnerable to ClassLoader manipulation | |||
| CVE-2022-46146 | unknown | — | — | 4y ago | Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypa… | |||
| CVE-2022-46366 | unknown | — | — | 4y ago | Apache Tapestry allows deserialization of untrusted data | |||
| CVE-2022-44262 | unknown | — | — | 4y ago | ff4j is vulnerable to Remote Code Execution (RCE) | |||
| CVE-2022-41965 | unknown | — | — | 4y ago | Authenticated OpenRedirect Vulnerability | |||
| CVE-2022-46149 | unknown | — | — | 4y ago | Cap'n Proto is a data interchange format and remote procedure call (RPC) system. Cap'n Proro prior to versions 0.7.1, 0.8.1, 0.9.2, and 0.10.3, as well as versions of Cap'n Proto's Rust implementatio… | |||
| CVE-2022-21126 | unknown | — | — | 4y ago | HTSJDK is vulnerable to exposure of resource(s) to the wrong sphere | |||
| CVE-2022-41954 | unknown | — | — | 4y ago | Temporary File Information Disclosure vulnerability in MPXJ | |||
| CVE-2022-45921 | unknown | — | — | 4y ago | FusionAuth vulnerable to directory traversal attack | |||
| CVE-2022-45907 | unknown | — | — | 4y ago | In PyTorch before trunk/89695, torch.jit.annotations.parse_type_line can cause arbitrary code execution because eval is used unsafely. | |||
| CVE-2022-45207 | unknown | — | — | 4y ago | Jeecg-boot vulnerable to SQL injection via updateNullByEmptyString | |||
| CVE-2022-45210 | unknown | — | — | 4y ago | Jeecg-boot vulnerable to SQL Injection | |||
| CVE-2022-45206 | unknown | — | — | 4y ago | Jeecg-boot vulnerable to SQL Injection | |||
| CVE-2022-26885 | unknown | — | — | 4y ago | Apache Dolphin Scheduler has insufficiently protected credentials | |||
| CVE-2022-45462 | unknown | — | — | 4y ago | Command injection in Apache DolphinScheduler Alert Plugins | |||
| CVE-2022-4116 | unknown | — | — | 4y ago | Code injection in quarkus dev ui config editor | |||
| CVE-2022-41937 | unknown | — | — | 4y ago | Missing Authorization in Filter Stream Converter Application of XWiki-platform | |||
| CVE-2022-41936 | unknown | — | — | 4y ago | Exposure of Private Personal Information to an Unauthorized Actor in org.xwiki.platform:xwiki-platform-rest-server | |||
| CVE-2022-41935 | unknown | — | — | 4y ago | Exposure of Sensitive Information to an Unauthorized Actor in org.xwiki.platform:xwiki-platform-livetable-ui | |||
| CVE-2022-41934 | unknown | — | — | 4y ago | Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in org.xwiki.platform:xwiki-platform-menu-ui | |||
| CVE-2022-41933 | unknown | — | — | 4y ago | Plaintext storage of password after a reset in org.xwiki.platform:xwiki-platform-security-authentication-default | |||
| CVE-2022-41932 | unknown | — | — | 4y ago | Creation of new database tables through login form on PostgreSQL | |||
| CVE-2022-41931 | unknown | — | — | 4y ago | Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in xwiki-platform-icon-ui | |||
| CVE-2022-41930 | unknown | — | — | 4y ago | Missing Authorization to enable or disable users in org.xwiki.platform:xwiki-platform-user-profile-ui | |||
| CVE-2022-41929 | unknown | — | — | 4y ago | Missing Authorization in User#setDisabledStatus in org.xwiki.platform:xwiki-platform-oldcore | |||
| CVE-2022-41928 | unknown | — | — | 4y ago | Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in AttachmentSelector.xml | |||
| CVE-2022-41927 | unknown | — | — | 4y ago | Cross-Site Request Forgery (CSRF) allowing to delete or rename tags | |||
| CVE-2022-45470 | unknown | — | — | 4y ago | Cross-site Scripting in Apache Hama | |||
| CVE-2022-45146 | unknown | — | — | 4y ago | Garbage collection issue in BC-FJA in Java 13 and later | |||
| CVE-2022-4065 | unknown | — | — | 4y ago | TestNG is vulnerable to Path Traversal | |||
| CVE-2022-43183 | unknown | — | — | 4y ago | XXL-JOB vulnerable to Server-Side Request Forgery (SSRF) | |||
| CVE-2022-45396 | unknown | — | — | 4y ago | XXE vulnerability on agents in Jenkins SourceMonitor Plugin | |||
| CVE-2022-45400 | unknown | — | — | 4y ago | XXE vulnerability in Jenkins JAPEX Plugin |