CVEs from 2024
Total
6,678
critical
critical 124
high
high 1,047
medium
medium 2,013
low
low 48
% Critical
1.9%
% with KEV
2.4%
% with exploit
3.3%
Top products
- surveillance_station 12
- checkmk 10
- profilegrid 8
- office 8
- office_long_term_servicing_channel 6
- glibc 5
- virtual_traffic_manager 5
- element_pack 5
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-46910 | unknown | — | — | 1y ago | Apache Atlas: An authenticated user can perform XSS and potentially impersonate another user | |||
| CVE-2024-32037 | unknown | — | — | 1y ago | GeoNetwork search end-point information disclosure in response headers | |||
| CVE-2024-52067 | unknown | — | — | 1y ago | Apache NiFi: Potential Insertion of Sensitive Parameter Values in Debug Log | |||
| CVE-2024-57606 | unknown | — | — | 1y ago | SQL injection in JeecgBoot | |||
| CVE-2024-37358 | unknown | — | — | 1y ago | Apache James vulnerable to denial of service through the use of IMAP literals | |||
| CVE-2024-45626 | unknown | — | — | 1y ago | Apache James vulnerable to denial of service through JMAP HTML to text conversion | |||
| CVE-2024-57699 | unknown | — | — | 1y ago | Netplex Json-smart Uncontrolled Recursion vulnerability | |||
| CVE-2024-10973 | unknown | — | — | 1y ago | Keycloak on Quarkus CLI option for encrypted JGroups ignored | |||
| CVE-2024-36404 | unknown | — | — | 1y ago | GeoTools Remote Code Execution (RCE) vulnerability in evaluating XPath expressions | |||
| CVE-2024-27137 | unknown | — | — | 1y ago | Apache Cassandra: unrestricted deserialization of JMX authentication credentials | |||
| CVE-2024-57439 | unknown | — | — | 1y ago | RuoYi vulnerable to Denial of Service by attackers with admin privileges | |||
| CVE-2024-57436 | unknown | — | — | 1y ago | RuoYi allowed unauthorized attackers to view the session ID of the admin in the system monitoring | |||
| CVE-2024-57438 | unknown | — | — | 1y ago | RuoYi has insecure permissions | |||
| CVE-2024-29869 | unknown | — | — | 1y ago | Apache Hive Incorrectly Assigns Permissions for a Critical Resource | |||
| CVE-2024-23953 | unknown | — | — | 1y ago | Apache Hive vulnerable to Observable Timing Discrepancy and Authentication Bypass by Spoofing | |||
| CVE-2024-52012 | unknown | — | — | 1y ago | Apache Solr Relative Path Traversal vulnerability | |||
| CVE-2024-52807 | unknown | — | — | 1y ago | XXE vulnerability in XSLT parsing in `org.hl7.fhir.publisher` | |||
| CVE-2024-53299 | unknown | — | — | 1y ago | Apache Wicket: An attacker can intentionally trigger a memory leak | |||
| CVE-2024-56923 | unknown | — | — | 1y ago | Cross site scripting in Silverpeas Core | |||
| CVE-2024-45479 | unknown | — | — | 1y ago | Apache Ranger UI vulnerable to Server Side Request Forgery | |||
| CVE-2024-45478 | unknown | — | — | 1y ago | Apache Ranger has Stored Cross-site Scripting vulnerability in Edit Service Page | |||
| CVE-2024-43709 | unknown | — | — | 1y ago | Elasticsearch allocation of resources without limits or throttling leads to crash | |||
| CVE-2024-5138 | unknown | — | — | 1y ago | The snapctl component within snapd allows a confined snap to interact with the snapd daemon to take certain privileged actions on behalf of the snap. It was found that snapctl did not properly parse … | |||
| CVE-2024-45627 | unknown | — | — | 1y ago | Apache Linkis Metadata Query Service JDBC: JDBC Datasource Module with Mysql has file read vulnerability | |||
| CVE-2024-11734 | unknown | — | — | 1y ago | Denial of Service in Keycloak Server via Security Headers | |||
| CVE-2024-11736 | unknown | — | — | 1y ago | Keycloak allows unrestricted admin use of system and environment variables | |||
| CVE-2024-54676 | unknown | — | — | 1y ago | Apache OpenMeetings vulnerable to Deserialization of Untrusted Data | |||
| CVE-2024-8447 | unknown | — | — | 1y ago | Narayana deadlock via multiple join requests sent to LRA Coordinator | |||
| CVE-2024-56512 | unknown | — | — | 1y ago | Apache NiFi: Missing Complete Authorization for Parameter and Service References | |||
| CVE-2024-12744 | unknown | — | — | 1y ago | Amazon Redshift JDBC Driver vulnerable to SQL Injection | |||
| CVE-2024-52046 | unknown | — | — | 1y ago | Apache MINA Deserialization RCE Vulnerability | |||
| CVE-2024-43441 | unknown | — | — | 1y ago | Apache HugeGraph-Server: Fixed JWT Token (Secret) | |||
| CVE-2024-23945 | unknown | — | — | 2y ago | Apache Hive and Spark: CookieSigner exposes the correct signature when message verification fails | |||
| CVE-2024-38819 | unknown | — | — | 2y ago | Spring Framework Path Traversal vulnerability | |||
| CVE-2024-12801 | unknown | — | — | 2y ago | QOS.CH logback-core Server-Side Request Forgery vulnerability | |||
| CVE-2024-12798 | unknown | — | — | 2y ago | QOS.CH logback-core Expression Language Injection vulnerability | |||
| CVE-2024-56128 | unknown | — | — | 2y ago | Apache Kafka's SCRAM implementation Incorrectly Implements Authentication Algorithm | |||
| CVE-2024-49194 | unknown | — | — | 2y ago | Databricks JDBC Driver Command Injection vulnerability | |||
| CVE-2024-11993 | unknown | — | — | 2y ago | Liferay Portal and Liferay DXP vulnerable to Cross-site Scripting | |||
| CVE-2024-12539 | unknown | — | — | 2y ago | Elasticsearch Incorrect Authorization vulnerability | |||
| CVE-2024-35230 | unknown | — | — | 2y ago | Welcome and About GeoServer pages communicate version and revision information | |||
| CVE-2024-55887 | unknown | — | — | 2y ago | Ucum-java has an XXE vulnerability in XML parsing | |||
| CVE-2024-55662 | unknown | — | — | 2y ago | XWiki allows remote code execution through the extension sheet | |||
| CVE-2024-55663 | unknown | — | — | 2y ago | XWiki Platform has an SQL injection in getdocuments.vm with sort parameter | |||
| CVE-2024-55875 | unknown | — | — | 2y ago | http4k has a potential XXE (XML External Entity Injection) vulnerability | |||
| CVE-2024-55876 | unknown | — | — | 2y ago | XWiki's scheduler in subwiki allows scheduling operations for any main wiki user | |||
| CVE-2024-55877 | unknown | — | — | 2y ago | XWiki allows remote code execution from account through macro descriptions and XWiki.XWikiSyntaxMacrosList | |||
| CVE-2024-55879 | unknown | — | — | 2y ago | XWiki allows RCE from script right in configurable sections | |||
| CVE-2024-12397 | unknown | — | — | 2y ago | io.quarkus.http/quarkus-http-core: Quarkus HTTP Cookie Smuggling | |||
| CVE-2024-45337 | unknown | — | — | 2y ago | Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerCo… | |||
| CVE-2024-53677 | unknown | — | — | 2y ago | Apache Struts file upload logic is flawed | |||
| CVE-2024-6156 | unknown | — | — | 2y ago | Mark Laing discovered that LXD's PKI mode, until version 5.21.2, could be bypassed if the client's certificate was present in the trust store. | |||
| CVE-2024-6219 | unknown | — | — | 2y ago | Mark Laing discovered in LXD's PKI mode, until version 5.21.1, that a restricted certificate could be added to the trust store with its restrictions not honoured. | |||
| CVE-2024-55565 | unknown | — | — | 2y ago | nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values. 3.3.8 is also a fixed version. | |||
| CVE-2024-54140 | unknown | — | — | 2y ago | sigstore-java has a vulnerability with bundle verification | |||
| CVE-2024-38829 | unknown | — | — | 2y ago | Spring LDAP data exposure vulnerability | |||
| CVE-2024-45106 | unknown | — | — | 2y ago | Apache Ozone: Improper authentication when generating S3 secrets | |||
| CVE-2024-53990 | unknown | — | — | 2y ago | AsyncHttpClient (AHC) library's `CookieStore` replaces explicitly defined `Cookie`s | |||
| CVE-2024-38827 | unknown | — | — | 2y ago | Spring Framework has Authorization Bypass for Case Sensitive Comparisons | |||
| CVE-2024-35371 | unknown | — | — | 2y ago | Ant-Media-Server vulnerable to Improper Output Neutralization for Logs | |||
| CVE-2024-36620 | unknown | — | — | 2y ago | moby v25.0.0 - v26.0.2 is vulnerable to NULL Pointer Dereference via daemon/images/image_history.go. | |||
| CVE-2024-36623 | unknown | — | — | 2y ago | moby through v25.0.3 has a Race Condition vulnerability in the streamformatter package which can be used to trigger multiple concurrent write operations resulting in data corruption or application cr… | |||
| CVE-2024-36621 | unknown | — | — | 2y ago | moby v25.0.5 is affected by a Race Condition in builder/builder-next/adapters/snapshot/layer.go. The vulnerability could be used to trigger concurrent builds that call the EnsureLayer function result… | |||
| CVE-2024-49203 | unknown | — | — | 2y ago | Querydsl vulnerable to HQL injection through orderBy | |||
| CVE-2024-54003 | unknown | — | — | 2y ago | Jenkins Simple Queue Plugin has stored cross-site scripting (XSS) vulnerability | |||
| CVE-2024-54004 | unknown | — | — | 2y ago | Jenkins Filesystem List Parameter Plugin has Path Traversal vulnerability | |||
| CVE-2024-53267 | unknown | — | — | 2y ago | sigstore-java has vulnerability with bundle verification | |||
| CVE-2024-10039 | unknown | — | — | 2y ago | Keycloak mTLS Authentication Bypass via Reverse Proxy TLS Termination | |||
| CVE-2024-9666 | unknown | — | — | 2y ago | Keycloak proxy header handling Denial-of-Service (DoS) vulnerability | |||
| CVE-2024-10451 | unknown | — | — | 2y ago | Keycloak Build Process Exposes Sensitive Data | |||
| CVE-2024-53916 | unknown | — | — | 2y ago | In OpenStack Neutron before 25.0.1, neutron/extensions/tagging.py can use an incorrect ID during policy enforcement. It does not apply the proper policy check for changing network tags. An unprivileg… | |||
| CVE-2024-52797 | unknown | — | — | 2y ago | Searching Opencast may cause a denial of service | |||
| CVE-2024-31141 | unknown | — | — | 2y ago | Apache Kafka Clients: Privilege escalation to filesystem read-access via automatic ConfigProvider | |||
| CVE-2024-52304 | unknown | — | — | 2y ago | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request s… | |||
| CVE-2024-52303 | unknown | — | — | 2y ago | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions starting with 3.10.6 and prior to 3.10.11, a memory leak can occur when a request produces a MatchInfoError… | |||
| CVE-2024-52506 | unknown | — | — | 2y ago | Graylog concurrent PDF report rendering can leak other users' reports | |||
| CVE-2024-52318 | unknown | — | — | 2y ago | Incorrect object recycling and reuse vulnerability in Apache Tomcat. This issue affects Apache Tomcat: 11.0.0, 10.1.31, 9.0.96. Users are recommended to upgrade to version 11.0.1, 10.1.32 or 9.0.97… | |||
| CVE-2024-52316 | unknown | — | — | 2y ago | Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception dur… | |||
| CVE-2024-52317 | unknown | — | — | 2y ago | Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between us… | |||
| CVE-2024-38828 | unknown | — | — | 2y ago | Spring MVC controller vulnerable to a DoS attack | |||
| CVE-2024-42499 | unknown | — | — | 2y ago | FitNesse Path Traversal | |||
| CVE-2024-39610 | unknown | — | — | 2y ago | FitNesse Cross-site scripting | |||
| CVE-2024-52553 | unknown | — | — | 2y ago | Session fixation vulnerability in Jenkins OpenId Connect Authentication Plugin | |||
| CVE-2024-52554 | unknown | — | — | 2y ago | Script security bypass vulnerability in Jenkins Shared Library Version Override Plugin | |||
| CVE-2024-52552 | unknown | — | — | 2y ago | Stored XSS vulnerability in Jenkins Authorize Project Plugin | |||
| CVE-2024-52550 | unknown | — | — | 2y ago | Rebuilding a run with revoked script approval allowed by Jenkins Pipeline: Groovy Plugin | |||
| CVE-2024-52551 | unknown | — | — | 2y ago | Restarting a run with revoked script approval allowed by Jenkins Pipeline: Declarative Plugin | |||
| CVE-2024-52549 | unknown | — | — | 2y ago | Missing permission check in Jenkins Script Security Plugin | |||
| CVE-2024-51996 | unknown | — | — | 2y ago | Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. When consuming a persisted remember-me cookie, Symfony does not check if the username persisted i… | |||
| CVE-2024-47535 | unknown | — | — | 2y ago | Denial of Service attack on windows app using netty | |||
| CVE-2024-51135 | unknown | — | — | 2y ago | powertac-server XML External Entity vulnerability | |||
| CVE-2024-52007 | unknown | — | — | 2y ago | XXE vulnerability in XSLT parsing in `org.hl7.fhir.core` | |||
| CVE-2024-47072 | unknown | — | — | 2y ago | XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream | |||
| CVE-2024-51504 | unknown | — | — | 2y ago | Apache ZooKeeper: Authentication bypass with IP-based authentication in Admin Server | |||
| CVE-2024-51755 | unknown | — | — | 2y ago | Twig is a template language for PHP. In a sandbox, an attacker can access attributes of Array-like objects as they were not checked by the security policy. They are now checked via the property polic… | |||
| CVE-2024-51754 | unknown | — | — | 2y ago | Twig is a template language for PHP. In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of … | |||
| CVE-2024-51736 | unknown | — | — | 2y ago | Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. On Windows, when an executable file named `cmd.exe` is located in the current working directory i… | |||
| CVE-2024-50345 | unknown | — | — | 2y ago | symfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented layer for the HTTP specification. The `Request` class, does not parse URI with special characters t… | |||
| CVE-2024-50343 | unknown | — | — | 2y ago | symfony/validator is a module for the Symphony PHP framework which provides tools to validate values. It is possible to trick a `Validator` configured with a regular expression using the `$` metachar… | |||
| CVE-2024-50342 | unknown | — | — | 2y ago | symfony/http-client is a module for the Symphony PHP framework which provides powerful methods to fetch HTTP resources synchronously or asynchronously. When using the `NoPrivateNetworkHttpClient`, so… |