CVEs from 2022
Total
5,371
critical
critical 92
high
high 1,228
medium
medium 950
low
low 24
% Critical
1.7%
% with KEV
2.4%
% with exploit
3.3%
Top vendors
Top products
- jdk 116
- jre 109
- openjdk 100
- zulu 82
- graalvm 74
- cloud_secure_agent 35
- oncommand_insight 34
- cloud_insights_acquisition_unit 34
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-40149 | unknown | — | — | 4y ago | Jettison parser crash by stackoverflow | |||
| CVE-2022-36095 | unknown | — | — | 4y ago | XWiki Cross-Site Request Forgery (CSRF) for actions on tags | |||
| CVE-2022-36109 | unknown | — | — | 4y ago | Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has di… | |||
| CVE-2022-36090 | unknown | — | — | 4y ago | XWiki Platform Improper Authorization check for inactive users | |||
| CVE-2022-36091 | unknown | — | — | 4y ago | XWiki Platform Web Templates vulnerable to Missing Authorization, Exposure of Private Personal Information to Unauthorized Actor | |||
| CVE-2022-36096 | unknown | — | — | 4y ago | XWiki Platform vulnerable to Cross-site Scripting in the deleted attachments list | |||
| CVE-2022-36097 | unknown | — | — | 4y ago | XWiki Platform Attachment UI vulnerable to cross-site scripting in the move attachment form | |||
| CVE-2022-36098 | unknown | — | — | 4y ago | XWiki Platform Mentions UI vulnerable to Cross-site Scripting | |||
| CVE-2022-36099 | unknown | — | — | 4y ago | XWiki Platform Wiki UI Main Wiki Eval Injection vulnerability | |||
| CVE-2022-36100 | unknown | — | — | 4y ago | XWiki Platform Applications Tag and XWiki Platform Tag UI vulnerable to Eval Injection | |||
| CVE-2022-36113 | unknown | — | — | 4y ago | Cargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code in the ~/.cargo folder on disk, making it available to the Rust projects it… | |||
| CVE-2022-36114 | unknown | — | — | 4y ago | Cargo is a package manager for the rust programming language. It was discovered that Cargo did not limit the amount of data extracted from compressed archives. An attacker could upload to an alternat… | |||
| CVE-2022-36092 | unknown | — | — | 4y ago | XWiki Platform Old Core vulnerable to Authentication Bypass Using the Login Action | |||
| CVE-2022-36093 | unknown | — | — | 4y ago | XWiki Platform Web Templates vulnerable to Unauthorized User Registration Through the Distribution Wizard | |||
| CVE-2022-36094 | unknown | — | — | 4y ago | XWiki Platform Web Parent POM vulnerable to XSS in the attachment history | |||
| CVE-2022-25897 | unknown | — | — | 4y ago | Eclipse Milo vulnerable to Resource Exhaustion (Denial of Service) | |||
| CVE-2022-37724 | unknown | — | — | 4y ago | Project Wonder WebObjects vulnerable to Arbitrary HTTP Header Injection and Cross-site Scripting | |||
| CVE-2022-1278 | unknown | — | — | 4y ago | WildFly vulnerable to Insecure Default Initialization of Resource | |||
| CVE-2022-40634 | unknown | — | — | 4y ago | CrafterCMS Crafter Studio Improperly Controls Dynamically-Managed Code Resources | |||
| CVE-2022-40635 | unknown | — | — | 4y ago | CrafterCMS OS Command Injection vulnerability | |||
| CVE-2022-37767 | unknown | — | — | 4y ago | Pebble Templates protection mechanism bypass can lead to arbitrary code execution | |||
| CVE-2022-37734 | unknown | — | — | 4y ago | graphql-java vulnerable to Denial of Service via GraphQL query that consumes CPU resources | |||
| CVE-2022-39135 | unknown | — | — | 4y ago | Apache Calcite before 1.32.0 vulnerable to potential XML External Entity (XXE) attack | |||
| CVE-2022-26049 | unknown | — | — | 4y ago | Goomph before 3.37.2 allows malicious zip file to write contents to arbitrary locations | |||
| CVE-2022-28220 | unknown | — | — | 4y ago | Apache James vulnerable to buffering attack | |||
| CVE-2022-25914 | unknown | — | — | 4y ago | com.google.cloud.tools:jib-core vulnerable to Remote Code Execution (RCE) | |||
| CVE-2022-36663 | unknown | — | — | 4y ago | Gluu Oxauth before v4.4.1 vulnerable to Server-Side Request Forgery attacks via a crafted request_uri parameter | |||
| CVE-2022-38370 | unknown | — | — | 4y ago | Apache IoTDB grafana-connector contains an interface without authorization | |||
| CVE-2022-38369 | unknown | — | — | 4y ago | Apache IoTDB Session Fixation vulnerability | |||
| CVE-2022-37435 | unknown | — | — | 4y ago | Apache ShenYu Admin has insecure permissions | |||
| CVE-2022-36033 | unknown | — | — | 4y ago | jsoup may not sanitize code injection XSS attempts if SafeList.preserveRelativeLinks is enabled | |||
| CVE-2022-37023 | unknown | — | — | 4y ago | Apache Geode versions prior to 1.15.0 are vulnerable to a deserialization of untrusted data | |||
| CVE-2022-37022 | unknown | — | — | 4y ago | Apache Geode versions deserialization of untrusted datawhen using JMX over RMI on Java 11 | |||
| CVE-2022-37021 | unknown | — | — | 4y ago | Apache Geode vulnerable to Deserialization of Untrusted Data | |||
| CVE-2022-2466 | unknown | — | — | 4y ago | Quarkus does not terminate HTTP requests header context | |||
| CVE-2022-0225 | unknown | — | — | 4y ago | Keycloak XSS via use of malicious payload as group name when creating new group from admin console | |||
| CVE-2022-0084 | unknown | — | — | 4y ago | XNIO `notifyReadClosed` method logging message to unexpected end | |||
| CVE-2022-36527 | unknown | — | — | 4y ago | Jfinal Cross-site Scripting vulnerability | |||
| CVE-2022-37199 | unknown | — | — | 4y ago | SQL injection in jflyfox jfinal | |||
| CVE-2022-37223 | unknown | — | — | 4y ago | SQL injection in jflyfox jfinal | |||
| CVE-2022-35278 | unknown | — | — | 4y ago | HTML Injection in ActiveMQ Artemis Web Console | |||
| CVE-2022-38665 | unknown | — | — | 4y ago | RabbitMQ password stored in plain text by Jenkins CollabNet Plugins Plugin | |||
| CVE-2022-38664 | unknown | — | — | 4y ago | Cross-site Scripting in Jenkins Job Configuration History Plugin | |||
| CVE-2022-38663 | unknown | — | — | 4y ago | Improper masking of credentials Jenkins in Git Plugin | |||
| CVE-2022-34916 | unknown | — | — | 4y ago | Remote code execution in Apache Flume | |||
| CVE-2022-36157 | unknown | — | — | 4y ago | Improper Privilege Management in com.xuxueli:xxl-job | |||
| CVE-2022-37422 | unknown | — | — | 4y ago | Path Traversal in Payara | |||
| CVE-2022-36007 | unknown | — | — | 4y ago | Venice vulnerable to Partial Path Traversal issue within the functions `load-file` and `load-resource` | |||
| CVE-2022-35948 | unknown | — | — | 4y ago | undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically… | |||
| CVE-2022-35949 | unknown | — | — | 4y ago | undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option… | |||
| CVE-2022-38216 | unknown | — | — | 4y ago | Mapbox is vulnerable to Integer Overflow | |||
| CVE-2022-36599 | unknown | — | — | 4y ago | Mingsoft MCMS SQL injection vulnerability in /mdiy/model/delete URI via models List | |||
| CVE-2022-36272 | unknown | — | — | 4y ago | Mingsoft MCMS SQL injection vulnerability in /mdiy/page/verify URI via fieldName parameter | |||
| CVE-2022-38179 | unknown | — | — | 4y ago | JetBrains Ktor before 2.1.0 was vulnerable to a Reflect File Download attack | |||
| CVE-2022-38180 | unknown | — | — | 4y ago | JetBrain Ktor before 2.1.0 vulnerable to selection of wrong authentication provider | |||
| CVE-2022-2390 | unknown | — | — | 4y ago | Google Play Services SDK leads to apps having incorrectly set mutability flag | |||
| CVE-2022-35980 | unknown | — | — | 4y ago | OpenSearch vulnerable to Improper Authorization of Index Containing Sensitive Information | |||
| CVE-2022-37423 | unknown | — | — | 4y ago | Neo4j Graph apoc plugins Partial Path Traversal Vulnerability | |||
| CVE-2022-35697 | unknown | — | — | 4y ago | AEM WCM Core Components CVG Image vulnerable to Reflected Cross-site Scripting | |||
| CVE-2022-31195 | unknown | — | — | 4y ago | DSpace ItemImportService API Vulnerable to Path Traversal in Simple Archive Format Package Import | |||
| CVE-2022-31194 | unknown | — | — | 4y ago | JSPUI vulnerable to path traversal in submission (resumable) upload | |||
| CVE-2022-31193 | unknown | — | — | 4y ago | JSPUI's controlled vocabulary feature vulnerable to Open Redirect before v6.4 and v5.11 | |||
| CVE-2022-31192 | unknown | — | — | 4y ago | JSPUI Possible Cross Site Scripting in "Request a Copy" Feature | |||
| CVE-2022-31191 | unknown | — | — | 4y ago | JSPUI spellcheck and autocomplete tools vulnerable to Cross Site Scripting | |||
| CVE-2022-31190 | unknown | — | — | 4y ago | XMLUI's metadata of withdrawn Items is exposed to anonymous users | |||
| CVE-2022-31189 | unknown | — | — | 4y ago | JSPUI's "Internal System Error" page prints exceptions and stack traces without sanitization | |||
| CVE-2022-2053 | unknown | — | — | 4y ago | Undertow vulnerable to Dos via Large AJP request | |||
| CVE-2022-27166 | unknown | — | — | 4y ago | Apache JSPWiki XSS due to crafted request on XHRHtml2Markup.jsp | |||
| CVE-2022-34158 | unknown | — | — | 4y ago | Apache JSPWiki CSRF due to crafted invocation on the Image plugin | |||
| CVE-2022-28731 | unknown | — | — | 4y ago | Apache JSPWiki CSRF due to crafted request on UserPreferences.jsp | |||
| CVE-2022-28730 | unknown | — | — | 4y ago | Apache JSPWiki XSS due to incomplete patch for CVE-2021-40369 | |||
| CVE-2022-28732 | unknown | — | — | 4y ago | Apache JSPWiki XSS due to crafted request in WeblogPlugin | |||
| CVE-2022-25168 | unknown | — | — | 4y ago | Apache Hadoop argument injection vulnerability | |||
| CVE-2022-37394 | unknown | — | — | 4y ago | An issue was discovered in OpenStack Nova before 23.2.2, 24.x before 24.1.2, and 25.x before 25.0.2. By creating a neutron port with the direct vnic_type, creating an instance bound to that port, and… | |||
| CVE-2022-25867 | unknown | — | — | 4y ago | Socket.IO-client Java before 2.0.1 vulnerable to NULL Pointer Dereference | |||
| CVE-2022-2576 | unknown | — | — | 4y ago | Eclipse Californium denial of service (DoS) via Datagram Transport Layer Security (DTLS) handshake on parameter mismatch | |||
| CVE-2022-31183 | unknown | — | — | 4y ago | fs2-io skips mTLS client verification | |||
| CVE-2022-36364 | unknown | — | — | 4y ago | Apache Calcite Avatica JDBC driver arbitrary code execution | |||
| CVE-2022-36887 | unknown | — | — | 4y ago | Jenkins Job Configuration History Plugin does not require POST requests for several HTTP endpoints | |||
| CVE-2022-36885 | unknown | — | — | 4y ago | Jenkins GitHub plugin uses weak webhook signature function | |||
| CVE-2022-36881 | unknown | — | — | 4y ago | Jenkins Git client plugin 3.11.0 does not perform SSH host key verification | |||
| CVE-2022-36882 | unknown | — | — | 4y ago | Lack of authentication mechanism in Jenkins Git Plugin webhook | |||
| CVE-2022-36884 | unknown | — | — | 4y ago | Lack of authentication mechanism in Jenkins Git Plugin webhook | |||
| CVE-2022-36883 | unknown | — | — | 4y ago | Lack of authentication mechanism in Jenkins Git Plugin webhook | |||
| CVE-2022-36888 | unknown | — | — | 4y ago | Jenkins HashiCorp Vault Plugin does not perform permission checks in several HTTP endpoints that perform Vault connection tests | |||
| CVE-2022-36886 | unknown | — | — | 4y ago | External Monitor Job Type Plugin does not require POST requests for an HTTP endpoint | |||
| CVE-2022-36911 | unknown | — | — | 4y ago | CSRF vulnerability in Jenkins openstack-heat Plugin | |||
| CVE-2022-36895 | unknown | — | — | 4y ago | Jenkins Compuware Topaz Utilities Plugin is missing authorization | |||
| CVE-2022-36921 | unknown | — | — | 4y ago | Missing permission check in Coverity Plugin allows capturing credentials | |||
| CVE-2022-36912 | unknown | — | — | 4y ago | Missing permission checks in Jenkins openstack-heat Plugin | |||
| CVE-2022-36893 | unknown | — | — | 4y ago | Jenkins rpmsign-plugin does not perform a permission check in a method implementing form validation | |||
| CVE-2022-36897 | unknown | — | — | 4y ago | Jenkins Compuware Xpediter Code Coverage Plugin Missing Authorization | |||
| CVE-2022-36917 | unknown | — | — | 4y ago | Jenkins Google Cloud Backup Plugin allows attackers with Overall/Read permission to request a manual backup. | |||
| CVE-2022-36891 | unknown | — | — | 4y ago | Jenkins Deployer Framework Plugin allows attackers with Item/Read permission to read deployment logs | |||
| CVE-2022-36894 | unknown | — | — | 4y ago | Arbitrary file write vulnerability in Jenkins CLIF Performance Testing plugin | |||
| CVE-2022-36896 | unknown | — | — | 4y ago | Jenkins Compuware Source Code Download is missing authorization | |||
| CVE-2022-36890 | unknown | — | — | 4y ago | Jenkins Deployer Framework Plugin vulnerable to Path Traversal | |||
| CVE-2022-36918 | unknown | — | — | 4y ago | Jenkins Buckminster Plugin does not perform a permission check in a method implementing form validation | |||
| CVE-2022-36915 | unknown | — | — | 4y ago | Jenkins Android Signing Plugin allows attackers to check whether attacker-specified file patterns match workspace contents | |||
| CVE-2022-36919 | unknown | — | — | 4y ago | Jenkins Coverity Plugin allows attackers with Overall/Read permission to enumerate credentials IDs |