CVEs from 2024
Total
6,685
critical
critical 124
high
high 1,047
medium
medium 2,024
low
low 48
% Critical
1.9%
% with KEV
2.4%
% with exploit
3.3%
Top products
- surveillance_station 12
- checkmk 10
- profilegrid 8
- office 8
- office_long_term_servicing_channel 6
- glibc 5
- virtual_traffic_manager 5
- element_pack 5
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-42469 | unknown | — | — | 2y ago | CometVisu Backend for openHAB affected by RCE through path traversal | |||
| CVE-2024-42470 | unknown | — | — | 2y ago | CometVisu Backend for openHAB has a sensitive information disclosure vulnerability | |||
| CVE-2024-42467 | unknown | — | — | 2y ago | CometVisu Backend for openHAB affected by SSRF/XSS | |||
| CVE-2024-42367 | unknown | — | — | 2y ago | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions on the 3.10 branch prior to version 3.10.2, static routes which contain files with compressed variants (`.g… | |||
| CVE-2024-43045 | unknown | — | — | 2y ago | Jenkins does not perform a permission check in an HTTP endpoint | |||
| CVE-2024-43044 | unknown | — | — | 2y ago | Jenkins Remoting library arbitrary file read vulnerability | |||
| CVE-2024-36116 | unknown | — | — | 2y ago | Path traversal in Reposilite javadoc file expansion (arbitrary file creation/overwrite) (`GHSL-2024-073`) | |||
| CVE-2024-36115 | unknown | — | — | 2y ago | Reposilite artifacts vulnerable to Stored Cross-site Scripting | |||
| CVE-2024-27182 | unknown | — | — | 2y ago | Apache Linkis arbitrary file deletion vulnerability | |||
| CVE-2024-27181 | unknown | — | — | 2y ago | Apache Linkis vulnerable to privilege escalation | |||
| CVE-2024-36268 | unknown | — | — | 2y ago | Apache Inlong Code Injection vulnerability | |||
| CVE-2024-41948 | unknown | — | — | 2y ago | biscuit-java vulnerable to public key confusion in third party block | |||
| CVE-2024-23444 | unknown | — | — | 2y ago | Elasticsearch stores private key on disk unencrypted | |||
| CVE-2024-37901 | unknown | — | — | 2y ago | XWiki Platform vulnerable to remote code execution from account via SearchSuggestConfigSheet | |||
| CVE-2024-37900 | unknown | — | — | 2y ago | XWiki Platform vulnerable to Cross-site Scripting through attachment filename in uploader | |||
| CVE-2024-37898 | unknown | — | — | 2y ago | XWiki Platform vulnerable to document deletion and overwrite from edit | |||
| CVE-2024-41110 | unknown | — | — | 2y ago | Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypas… | |||
| CVE-2024-40094 | unknown | — | — | 2y ago | GraphQL Java does not properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service | |||
| CVE-2024-1724 | unknown | — | — | 2y ago | In snapd versions prior to 2.62, when using AppArmor for enforcement of sandbox permissions, snapd failed to restrict writes to the $HOME/bin path. In Ubuntu, when this path exists, it is automatica… | |||
| CVE-2024-29068 | unknown | — | — | 2y ago | In snapd versions prior to 2.62, snapd failed to properly check the file type when extracting a snap. The snap format is a squashfs file-system image and so can contain files that are non-regular fil… | |||
| CVE-2024-29069 | unknown | — | — | 2y ago | In snapd versions prior to 2.62, snapd failed to properly check the destination of symbolic links when extracting a snap. The snap format is a squashfs file-system image and so can contain symbolic … | |||
| CVE-2024-41667 | unknown | — | — | 2y ago | OpenAM FreeMarker template injection | |||
| CVE-2024-37084 | unknown | — | — | 2y ago | Remote code execution in Spring Cloud Data Flow | |||
| CVE-2024-39676 | unknown | — | — | 2y ago | Apache Pinot: Unauthorized endpoint exposed sensitive information | |||
| CVE-2024-40767 | unknown | — | — | 2y ago | In OpenStack Nova before 27.4.1, 28 before 28.2.1, and 29 before 29.1.1, by supplying a raw format image that is actually a crafted QCOW2 image with a backing file path or VMDK flat image with a desc… | |||
| CVE-2024-25638 | unknown | — | — | 2y ago | DNSJava DNSSEC Bypass | |||
| CVE-2024-38503 | unknown | — | — | 2y ago | Apache Syncope Improper Input Validation vulnerability | |||
| CVE-2024-23321 | unknown | — | — | 2y ago | Apache RocketMQ Vulnerable to Unauthorized Exposure of Sensitive Data | |||
| CVE-2024-6960 | unknown | — | — | 2y ago | H2O vulnerable to Deserialization of Untrusted Data | |||
| CVE-2024-32007 | unknown | — | — | 2y ago | Apache CXF Denial of Service vulnerability in JOSE | |||
| CVE-2024-41172 | unknown | — | — | 2y ago | Apache CXF allows unrestricted memory consumption in CXF HTTP clients | |||
| CVE-2024-29736 | unknown | — | — | 2y ago | Apache CXF: SSRF vulnerability via WADL stylesheet parameter | |||
| CVE-2024-40642 | unknown | — | — | 2y ago | Absent Input Validation in BinaryHttpParser | |||
| CVE-2024-39900 | unknown | — | — | 2y ago | The OpenSearch reporting plugin improperly controls tenancy access to reporting resources | |||
| CVE-2024-29178 | unknown | — | — | 2y ago | Apache StreamPark: FreeMarker SSTI RCE Vulnerability | |||
| CVE-2024-29120 | unknown | — | — | 2y ago | Apache StreamPark: Information leakage vulnerability | |||
| CVE-2024-31411 | unknown | — | — | 2y ago | Apache StreamPipes has potential remote code execution (RCE) via file upload | |||
| CVE-2024-29737 | unknown | — | — | 2y ago | Apache StreamPark: maven build params could trigger remote command execution | |||
| CVE-2024-31979 | unknown | — | — | 2y ago | Apache StreamPipes has possibility of SSRF in pipeline element installation process | |||
| CVE-2024-30471 | unknown | — | — | 2y ago | Apache StreamPipes potentially allows creation of multiple identical accounts | |||
| CVE-2024-36522 | unknown | — | — | 2y ago | Apache Wicket: Remote code execution via XSLT injection | |||
| CVE-2024-6484 | unknown | — | — | 2y ago | Withdrawn Advisory: Bootstrap Cross-Site Scripting (XSS) vulnerability | |||
| CVE-2024-39901 | unknown | — | — | 2y ago | OpenSearch Observability does not properly restrict access to private tenant resources | |||
| CVE-2024-39031 | unknown | — | — | 2y ago | Silverpeas Core Cross-site Scripting vulnerability | |||
| CVE-2024-22271 | unknown | — | — | 2y ago | Spring Cloud Function Framework vulnerable to Denial of Service | |||
| CVE-2024-38372 | unknown | — | — | 2y ago | Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a `fetch()` request, `response.arrayBuffer()` might include portion of memory from the N… | |||
| CVE-2024-3653 | unknown | — | — | 2y ago | Undertow Missing Release of Memory after Effective Lifetime vulnerability | |||
| CVE-2024-5971 | unknown | — | — | 2y ago | Undertow Denial of Service vulnerability | |||
| CVE-2024-37389 | unknown | — | — | 2y ago | Apache NiFi vulnerable to Cross-site Scripting | |||
| CVE-2024-39689 | unknown | — | — | 2y ago | Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.5.30 and prior to 2024.… | |||
| CVE-2024-32498 | unknown | — | — | 2y ago | An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 … | |||
| CVE-2024-24749 | unknown | — | — | 2y ago | Classpath resource disclosure in GWC Web Resource API on Windows / Tomcat | |||
| CVE-2024-34696 | unknown | — | — | 2y ago | GeoServer's Server Status shows sensitive environmental variables and Java properties | |||
| CVE-2024-39460 | unknown | — | — | 2y ago | Bitbucket OAuth access token exposed in the build log by Bitbucket Branch Source Plugin | |||
| CVE-2024-39459 | unknown | — | — | 2y ago | Secret file credentials stored unencrypted in rare cases by Plain Credentials Plugin | |||
| CVE-2024-39458 | unknown | — | — | 2y ago | Exposure of secrets through system log in Jenkins Structs Plugin | |||
| CVE-2024-38364 | unknown | — | — | 2y ago | DSpace Cross Site Scripting (XSS) via a deposited HTML/XML document | |||
| CVE-2024-38374 | unknown | — | — | 2y ago | Improper Restriction of XML External Entity Reference in org.cyclonedx:cyclonedx-core-java | |||
| CVE-2024-38369 | unknown | — | — | 2y ago | XWiki programming rights may be inherited by inclusion | |||
| CVE-2024-29868 | unknown | — | — | 2y ago | Apache StreamPipes: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Recovery Token Generation | |||
| CVE-2024-27136 | unknown | — | — | 2y ago | Cross site scripting in Apache JSPWiki | |||
| CVE-2024-5967 | unknown | — | — | 2y ago | Keycloak leaks configured LDAP bind credentials through the Keycloak admin console | |||
| CVE-2024-37899 | unknown | — | — | 2y ago | XWiki Platform allows remote code execution from user account | |||
| CVE-2024-6162 | unknown | — | — | 2y ago | Undertow's url-encoded request path information can be broken on ajp-listener | |||
| CVE-2024-38595 | unknown | — | — | 2y ago | In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix peer devlink set for SF representor devlink port The cited patch change register devlink flow, and neglect to refle… | |||
| CVE-2024-36543 | unknown | — | — | 2y ago | STRIMZI incorrect access control | |||
| CVE-2024-37902 | unknown | — | — | 2y ago | DeepJavaLibrary API absolute path traversal | |||
| CVE-2024-38460 | unknown | — | — | 2y ago | SonarQube logs sensitive information | |||
| CVE-2024-37309 | unknown | — | — | 2y ago | CrateDB has a Client initialized Session-Renegotiation DoS | |||
| CVE-2024-37280 | unknown | — | — | 2y ago | Elasticsearch StackOverflow vulnerability | |||
| CVE-2024-1722 | unknown | — | — | 2y ago | Keycloak Denial of Service via account lockout | |||
| CVE-2024-36263 | unknown | — | — | 2y ago | Apache Submarine Server Core has a SQL Injection Vulnerability | |||
| CVE-2024-36265 | unknown | — | — | 2y ago | Apache Submarine Server Core Incorrect Authorization vulnerability | |||
| CVE-2024-36264 | unknown | — | — | 2y ago | Apache Submarine Commons Utils has a hard-coded secret | |||
| CVE-2024-3656 | unknown | — | — | 2y ago | Keycloak's admin API allows low privilege users to use administrative functions | |||
| CVE-2024-35255 | unknown | — | — | 2y ago | Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability | |||
| CVE-2024-35241 | unknown | — | — | 2y ago | Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing … | |||
| CVE-2024-35242 | unknown | — | — | 2y ago | Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch na… | |||
| CVE-2024-4540 | unknown | — | — | 2y ago | Keycloak exposes sensitive information in Pushed Authorization Requests (PAR) | |||
| CVE-2024-37568 | unknown | — | — | 2y ago | lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (… | |||
| CVE-2024-36823 | unknown | — | — | 2y ago | Weak encryption in Ninja Core | |||
| CVE-2024-36121 | unknown | — | — | 2y ago | BoringSSLAEADContext in Netty Repeats Nonces | |||
| CVE-2024-36124 | unknown | — | — | 2y ago | iq80 Snappy out-of-bounds read when uncompressing data, leading to JVM crash | |||
| CVE-2024-36042 | unknown | — | — | 2y ago | Silverpeas authentication bypass | |||
| CVE-2024-36114 | unknown | — | — | 2y ago | Decompressors can crash the JVM and leak memory content in Aircompressor | |||
| CVE-2024-5520 | unknown | — | — | 2y ago | OpenCMS Cross-Site Scripting vulnerability | |||
| CVE-2024-35219 | unknown | — | — | 2y ago | OpenAPI Generator Online - Arbitrary File Read/Delete | |||
| CVE-2024-22588 | unknown | — | — | 2y ago | Kwik does not discard unused encryption keys | |||
| CVE-2024-5273 | unknown | — | — | 2y ago | Jenkins Report Info Plugin Path Traversal vulnerability | |||
| CVE-2024-5165 | unknown | — | — | 2y ago | Eclipse Ditto vulnerable to Cross-site Scripting | |||
| CVE-2024-29392 | unknown | — | — | 2y ago | Silverpeas Core vulnerable to Cross Site Scripting | |||
| CVE-2024-28087 | unknown | — | — | 2y ago | Bonitasoft Runtime Community edition's contains an insecure direct object references vulnerability | |||
| CVE-2024-32888 | unknown | — | — | 2y ago | Amazon JDBC Driver for Redshift SQL Injection via line comment generation | |||
| CVE-2024-3462 | unknown | — | — | 2y ago | Ant Media Server does not properly authorize non-administrative API calls | |||
| CVE-2024-34365 | unknown | — | — | 2y ago | Apache Karaf Cave: Cave SSRF and arbitrary file access | |||
| CVE-2024-30171 | unknown | — | — | 2y ago | Bouncy Castle affected by timing side-channel for RSA key exchange ("The Marvin Attack") | |||
| CVE-2024-29857 | unknown | — | — | 2y ago | Bouncy Castle certificate parsing issues cause high CPU usage during parameter evaluation. | |||
| CVE-2024-30172 | unknown | — | — | 2y ago | Bouncy Castle crafted signature and public key can be used to trigger an infinite loop | |||
| CVE-2024-4701 | unknown | — | — | 2y ago | Genie Path Traversal vulnerability via File Uploads | |||
| CVE-2024-26579 | unknown | — | — | 2y ago | Apache Inlong Deserialization of Untrusted Data vulnerability |