CVEs from 2022
Total
5,371
critical
critical 92
high
high 1,228
medium
medium 950
low
low 24
% Critical
1.7%
% with KEV
2.4%
% with exploit
3.3%
Top vendors
Top products
- jdk 116
- jre 109
- openjdk 100
- zulu 82
- graalvm 74
- cloud_secure_agent 35
- oncommand_insight 34
- cloud_insights_acquisition_unit 34
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-43418 | unknown | — | — | 4y ago | CSRF vulnerability in Jenkins Katalon Plugin allows capturing credentials | |||
| CVE-2022-43434 | unknown | — | — | 4y ago | Content-Security-Policy protection for user content disabled by Jenkins NeuVector Vulnerability Scanner Plugin | |||
| CVE-2022-43435 | unknown | — | — | 4y ago | Content-Security-Policy protection for user content can be disabled in Jenkins 360 FireLine Plugin | |||
| CVE-2022-43417 | unknown | — | — | 4y ago | Missing permission checks in Jenkins Katalon Plugin allow capturing credentials | |||
| CVE-2022-43426 | unknown | — | — | 4y ago | AWS secrets displayed without masking by Jenkins S3 Explorer Plugin | |||
| CVE-2022-43416 | unknown | — | — | 4y ago | Jenkins Katalon Plugin vulnerable to Protection Mechanism Failure | |||
| CVE-2022-43420 | unknown | — | — | 4y ago | Stored XSS vulnerability in Jenkins Contrast Continuous Application Security Plugin | |||
| CVE-2022-43410 | unknown | — | — | 4y ago | Webhook endpoint discloses job names to unauthorized users in Jenkins Mercurial Plugin | |||
| CVE-2022-43427 | unknown | — | — | 4y ago | Jenkins Compuware Topaz for Total Test Plugin allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins | |||
| CVE-2022-43415 | unknown | — | — | 4y ago | XXE vulnerability in Jenkins REPO Plugin | |||
| CVE-2022-43419 | unknown | — | — | 4y ago | API keys stored in plain text by Jenkins Katalon Plugin | |||
| CVE-2022-43430 | unknown | — | — | 4y ago | XXE vulnerability in Jenkins Compuware Topaz for Total Test Plugin | |||
| CVE-2022-43408 | unknown | — | — | 4y ago | Jenkins Pipeline: Stage View Plugin allows CSRF protection bypass of any target URL in Jenkins | |||
| CVE-2022-42115 | unknown | — | — | 4y ago | Liferay Portal Vulnerable to XSS in the Object Module | |||
| CVE-2022-42117 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Vulnerable to XSS in the Frontend Taglib Module | |||
| CVE-2022-42112 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Vulnerable to XSS via the Portal Search Module | |||
| CVE-2022-42113 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Vulnerable to XSS via the Document Library Module | |||
| CVE-2022-42116 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Vulnerable to XSS in the CKEditor Integration with the Frontend Editor Module | |||
| CVE-2022-42114 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Vulnerable to XSS via the Role Module | |||
| CVE-2022-39198 | unknown | — | — | 4y ago | Hessian Lite for Apache Dubbo deserialization vulnerability | |||
| CVE-2022-42466 | unknown | — | — | 4y ago | Apache Isis Cross-site Scripting vulnerability | |||
| CVE-2022-42467 | unknown | — | — | 4y ago | Apache Isis webconsole module may directly query the database in prototype mode | |||
| CVE-2022-39312 | unknown | — | — | 4y ago | MySQL JDBC deserialization vulnerability | |||
| CVE-2022-42969 | unknown | — | — | 4y ago | Withdrawn Advisory: ReDoS in py library when used with subversion | |||
| CVE-2022-41828 | unknown | — | — | 4y ago | com.amazon.redshift:redshift-jdbc42 vulnerable to remote command execution | |||
| CVE-2022-41404 | unknown | — | — | 4y ago | org.ini4j allows attackers to cause a Denial of Service (DoS) | |||
| CVE-2022-40664 | unknown | — | — | 4y ago | Apache Shiro Authentication Bypass vulnerability | |||
| CVE-2022-41414 | unknown | — | — | 4y ago | Liferay Portal Insecure Default Configuration in auth.login.prompt.enabled | |||
| CVE-2022-39237 | unknown | — | — | 4y ago | syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the `github.com/sylabs/sif/v2/pkg/integrity` package did not verify that the hash algorithm(s) us… | |||
| CVE-2022-41853 | unknown | — | — | 4y ago | HyperSQL DataBase vulnerable to remote code execution when processing untrusted input | |||
| CVE-2022-3171 | unknown | — | — | 4y ago | protobuf-java has a potential Denial of Service issue | |||
| CVE-2022-39248 | unknown | — | — | 4y ago | matrix-android-sdk2 vulnerable to Olm/Megolm protocol confusion | |||
| CVE-2022-39246 | unknown | — | — | 4y ago | matrix-android-sdk2 vulnerable to impersonation via forwarded Megolm sessions | |||
| CVE-2022-39243 | unknown | — | — | 4y ago | NuProcess vulnerable to command-line injection through insertion of NUL character(s) | |||
| CVE-2022-40929 | unknown | — | — | 4y ago | XXL-JOB contains a Command execution vulnerability in background tasks | |||
| CVE-2022-39261 | unknown | — | — | 4y ago | Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a us… | |||
| CVE-2022-3290 | unknown | — | — | 4y ago | rdiffweb's unlimited username field length can lead to DoS | |||
| CVE-2022-33682 | unknown | — | — | 4y ago | Apache Pulsar Broker, Proxy, and WebSocket Proxy vulnerable to Improper Certificate Validation | |||
| CVE-2022-33681 | unknown | — | — | 4y ago | Apache Pulsar Java Client vulnerable to Improper Certificate Validation | |||
| CVE-2022-33683 | unknown | — | — | 4y ago | Apache Pulsar Brokers and Proxies vulnerable to Improper Certificate Validation | |||
| CVE-2022-26112 | unknown | — | — | 4y ago | Apache Pinot has Groovy Function support enabled by default | |||
| CVE-2022-36944 | unknown | — | — | 4y ago | Scala subject to file deletion, code execution due to Java deserialization chain with LazyList object deserialization | |||
| CVE-2022-24280 | unknown | — | — | 4y ago | Proxy component of Apache Pulsar subject to abuse as Denial of Service endpoint | |||
| CVE-2022-23463 | unknown | — | — | 4y ago | Nepxion Discovery vulnerable to SpEL Injection leading to Remote Code Execution | |||
| CVE-2022-23464 | unknown | — | — | 4y ago | Nepxion Discovery vulnerable to potential Information Disclosure due to Server-Side Request Forgery | |||
| CVE-2022-36025 | unknown | — | — | 4y ago | Besu VM vulnerable to gas allocation error in CALL operations | |||
| CVE-2022-2256 | unknown | — | — | 4y ago | Keycloak vulnerable to Stored Cross site Scripting (XSS) when loading default roles | |||
| CVE-2022-2668 | unknown | — | — | 4y ago | Keycloak SAML javascript protocol mapper: Uploading of scripts through admin console | |||
| CVE-2022-28982 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Vulnerable to XSS via Tag Name | |||
| CVE-2022-40705 | unknown | — | — | 4y ago | Apache SOAP's RPCRouterServlet allows reading of arbitrary files over HTTP | |||
| CVE-2022-39975 | unknown | — | — | 4y ago | Liferay Portal Missing Authorization vulnerability | |||
| CVE-2022-38512 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Fails to Check Permissions in Translation Module | |||
| CVE-2022-28978 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Vulnerable to XSS in the Site Module | |||
| CVE-2022-28979 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Vulnerable to XSS in the Portal Search Module | |||
| CVE-2022-28981 | unknown | — | — | 4y ago | Liferay Portal Path Traversal Vulnerability via the Hypermedia REST APIs Module | |||
| CVE-2022-28980 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Vulnerable to XSS via the filter_ Prefix | |||
| CVE-2022-28977 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP HtmlUtil.escapeRedirect Can Be Circumvented | |||
| CVE-2022-38648 | unknown | — | — | 4y ago | Apache Batik vulnerable to Server-Side Request Forgery | |||
| CVE-2022-40146 | unknown | — | — | 4y ago | Apache Batik vulnerable to Server-Side Request Forgery | |||
| CVE-2022-38398 | unknown | — | — | 4y ago | Apache Batik Server-Side Request Forgery | |||
| CVE-2022-41247 | unknown | — | — | 4y ago | Jenkins BigPanda Notifier Plugin stores BigPanda API key unencrypted | |||
| CVE-2022-41244 | unknown | — | — | 4y ago | Missing hostname validation in Jenkins View26 Test-Reporting Plugin | |||
| CVE-2022-41226 | unknown | — | — | 4y ago | Jenkins Compuware Common Configuration Plugin vulnerable to Improper Restriction of XML External Entity Reference | |||
| CVE-2022-41234 | unknown | — | — | 4y ago | Missing webhook endpoint authorization in Jenkins Rundeck Plugin | |||
| CVE-2022-41241 | unknown | — | — | 4y ago | Jenkins RQM Plugin vulnerable to Improper Restriction of XML External Entity Reference | |||
| CVE-2022-41230 | unknown | — | — | 4y ago | Missing permission check in Jenkins build-publisher Plugin | |||
| CVE-2022-41228 | unknown | — | — | 4y ago | Jenkins NS-ND Integration Performance Publisher Plugin vulnerable to Missing Authorization | |||
| CVE-2022-41246 | unknown | — | — | 4y ago | CSRF vulnerability and mM | |||
| CVE-2022-41238 | unknown | — | — | 4y ago | Lack of authentication mechanism in Jenkins DotCi Plugin webhook | |||
| CVE-2022-41240 | unknown | — | — | 4y ago | Stored XSS vulnerability in Jenkins Walti plugin | |||
| CVE-2022-41236 | unknown | — | — | 4y ago | CSRF vulnerability in Jenkins Security Inspector plugin | |||
| CVE-2022-41232 | unknown | — | — | 4y ago | Jenkins build-publisher plugin vulnerable to cross-site request forgery | |||
| CVE-2022-41229 | unknown | — | — | 4y ago | Jenkins NS-ND Integration Performance Publisher Plugin vulnerable to Cross-site Scripting | |||
| CVE-2022-41242 | unknown | — | — | 4y ago | Jenkins extreme-feedback Plugin vulnerable to Missing Authorization | |||
| CVE-2022-41239 | unknown | — | — | 4y ago | Stored XSS vulnerability in Jenkins DotCi Plugin | |||
| CVE-2022-41237 | unknown | — | — | 4y ago | RCE vulnerability in Jenkins DotCi Plugin | |||
| CVE-2022-41224 | unknown | — | — | 4y ago | Jenkins vulnerable to stored cross site scripting in the I:helpIcon component | |||
| CVE-2022-41233 | unknown | — | — | 4y ago | Jenkins Rundeck Plugin Missing Authorization vulnerability | |||
| CVE-2022-41227 | unknown | — | — | 4y ago | Jenkins NS-ND Integration Performance Publisher Plugin vulnerable to Cross-Site Request Forgery | |||
| CVE-2022-41245 | unknown | — | — | 4y ago | CSRF vulnerability in Jenkins Worksoft Execution Manager Plugin allows capturing credentials | |||
| CVE-2022-41231 | unknown | — | — | 4y ago | Path traversal in Jenkins build-publisher Plugin | |||
| CVE-2022-41243 | unknown | — | — | 4y ago | Jenkins SmallTest Plugin missing hostname validation | |||
| CVE-2022-41225 | unknown | — | — | 4y ago | Jenkins Anchore Container Image Scanner Plugin vulnerable to cross site scripting | |||
| CVE-2022-41235 | unknown | — | — | 4y ago | Jenkins WildFly Deployer Plugin vulnerable to path traversal | |||
| CVE-2022-41251 | unknown | — | — | 4y ago | Jenkins Apprenda Plugin has Missing Authorization vulnerability | |||
| CVE-2022-41254 | unknown | — | — | 4y ago | Missing permission checks in Jenkins CONS3RT Plugin allow capturing credentials | |||
| CVE-2022-41252 | unknown | — | — | 4y ago | Missing permission checks in Jenkins CONS3RT Plugin allow enumerating credentials IDs | |||
| CVE-2022-41249 | unknown | — | — | 4y ago | Jenkins SCM HttpClient Plugin vulnerable to Cross-Site Request Forgery | |||
| CVE-2022-41248 | unknown | — | — | 4y ago | Jenkins BigPanda Notifier Plugin Missing Password Field Masking | |||
| CVE-2022-41255 | unknown | — | — | 4y ago | API token stored in plain text by Jenkins CONS3RT Plugin | |||
| CVE-2022-41253 | unknown | — | — | 4y ago | CSRF vulnerability in Jenkins CONS3RT Plugin allow capturing credentials | |||
| CVE-2022-41250 | unknown | — | — | 4y ago | Missing permission check in Jenkins SCM HttpClient Plugin allow capturing credentials | |||
| CVE-2022-31679 | unknown | — | — | 4y ago | Spring Data REST can expose hidden entity attributes | |||
| CVE-2022-34917 | unknown | — | — | 4y ago | Apache Kafka vulnerability can lead to brokers hitting OutOfMemoryException, causing Denial of Service | |||
| CVE-2022-40955 | unknown | — | — | 4y ago | Apache InLong vulnerable to Deserialization of Untrusted Data | |||
| CVE-2022-31166 | unknown | — | — | 4y ago | XWiki.WebHome vulnerable to Improper Privilege Management in XWiki resolving groups | |||
| CVE-2022-31167 | unknown | — | — | 4y ago | XWiki Platform Security Parent POM vulnerable to overwriting of security rules of a page with a final page having the same reference | |||
| CVE-2022-25873 | unknown | — | — | 4y ago | Vuetify Cross-site Scripting vulnerability | |||
| CVE-2022-40152 | unknown | — | — | 4y ago | Denial of Service due to parser crash | |||
| CVE-2022-40149 | unknown | — | — | 4y ago | Jettison parser crash by stackoverflow |