CVEs from 2024
Total
6,700
critical
critical 138
high
high 1,058
medium
medium 2,045
low
low 49
% Critical
2.1%
% with KEV
2.4%
% with exploit
3.3%
Top products
- surveillance_station 12
- checkmk 10
- profilegrid 8
- office 8
- office_long_term_servicing_channel 6
- glibc 5
- virtual_traffic_manager 5
- element_pack 5
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-24778 | unknown | — | — | 1y ago | Apache StreamPipes has improper privilege management in a REST interface | |||
| CVE-2024-2321 | unknown | — | — | 1y ago | WSO2 incorrect authorization vulnerability | |||
| CVE-2024-4028 | unknown | — | — | 1y ago | Keycloak allows cross-site scripting (XSS) | |||
| CVE-2024-56180 | unknown | — | — | 1y ago | Apache EventMesh: raft Hessian Deserialization Vulnerability allowing remote code execution | |||
| CVE-2024-52577 | unknown | — | — | 1y ago | Apache Ignite: Possible RCE when deserializing incoming messages by the server node | |||
| CVE-2024-46910 | unknown | — | — | 1y ago | Apache Atlas: An authenticated user can perform XSS and potentially impersonate another user | |||
| CVE-2024-32037 | unknown | — | — | 1y ago | GeoNetwork search end-point information disclosure in response headers | |||
| CVE-2024-52067 | unknown | — | — | 1y ago | Apache NiFi: Potential Insertion of Sensitive Parameter Values in Debug Log | |||
| CVE-2024-57606 | unknown | — | — | 1y ago | SQL injection in JeecgBoot | |||
| CVE-2024-45626 | unknown | — | — | 1y ago | Apache James vulnerable to denial of service through JMAP HTML to text conversion | |||
| CVE-2024-37358 | unknown | — | — | 1y ago | Apache James vulnerable to denial of service through the use of IMAP literals | |||
| CVE-2024-57699 | unknown | — | — | 1y ago | Netplex Json-smart Uncontrolled Recursion vulnerability | |||
| CVE-2024-10973 | unknown | — | — | 1y ago | Keycloak on Quarkus CLI option for encrypted JGroups ignored | |||
| CVE-2024-36404 | unknown | — | — | 1y ago | GeoTools Remote Code Execution (RCE) vulnerability in evaluating XPath expressions | |||
| CVE-2024-27137 | unknown | — | — | 1y ago | Apache Cassandra: unrestricted deserialization of JMX authentication credentials | |||
| CVE-2024-57438 | unknown | — | — | 1y ago | RuoYi has insecure permissions | |||
| CVE-2024-57439 | unknown | — | — | 1y ago | RuoYi vulnerable to Denial of Service by attackers with admin privileges | |||
| CVE-2024-57436 | unknown | — | — | 1y ago | RuoYi allowed unauthorized attackers to view the session ID of the admin in the system monitoring | |||
| CVE-2024-29869 | unknown | — | — | 1y ago | Apache Hive Incorrectly Assigns Permissions for a Critical Resource | |||
| CVE-2024-23953 | unknown | — | — | 1y ago | Apache Hive vulnerable to Observable Timing Discrepancy and Authentication Bypass by Spoofing | |||
| CVE-2024-54550 | unknown | — | — | 1y ago | This issue was addressed with improved redaction of sensitive information. This issue is fixed in iOS 18.2 and iPadOS 18.2, macOS Sequoia 15.2. An app may be able to view autocompleted contact inform… | |||
| CVE-2024-54530 | unknown | — | — | 1y ago | The issue was addressed with improved checks. This issue is fixed in iOS 18.2 and iPadOS 18.2, macOS Sequoia 15.2, visionOS 2.2, watchOS 11.2. Password autofill may fill in passwords after failing au… | |||
| CVE-2024-54475 | unknown | — | — | 1y ago | A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sequoia 15.2, macOS Sonoma 14.7.2, macOS Ventura 13.7.2. An app may be able to determi… | |||
| CVE-2024-52012 | unknown | — | — | 1y ago | Apache Solr Relative Path Traversal vulnerability | |||
| CVE-2024-52807 | unknown | — | — | 1y ago | XXE vulnerability in XSLT parsing in `org.hl7.fhir.publisher` | |||
| CVE-2024-53299 | unknown | — | — | 1y ago | Apache Wicket: An attacker can intentionally trigger a memory leak | |||
| CVE-2024-56923 | unknown | — | — | 1y ago | Cross site scripting in Silverpeas Core | |||
| CVE-2024-45479 | unknown | — | — | 1y ago | Apache Ranger UI vulnerable to Server Side Request Forgery | |||
| CVE-2024-45478 | unknown | — | — | 1y ago | Apache Ranger has Stored Cross-site Scripting vulnerability in Edit Service Page | |||
| CVE-2024-43709 | unknown | — | — | 1y ago | Elasticsearch allocation of resources without limits or throttling leads to crash | |||
| CVE-2024-5138 | unknown | — | — | 1y ago | The snapctl component within snapd allows a confined snap to interact with the snapd daemon to take certain privileged actions on behalf of the snap. It was found that snapctl did not properly parse … | |||
| CVE-2024-45627 | unknown | — | — | 1y ago | Apache Linkis Metadata Query Service JDBC: JDBC Datasource Module with Mysql has file read vulnerability | |||
| CVE-2024-11734 | unknown | — | — | 1y ago | Denial of Service in Keycloak Server via Security Headers | |||
| CVE-2024-11736 | unknown | — | — | 1y ago | Keycloak allows unrestricted admin use of system and environment variables | |||
| CVE-2024-54676 | unknown | — | — | 1y ago | Apache OpenMeetings vulnerable to Deserialization of Untrusted Data | |||
| CVE-2024-8447 | unknown | — | — | 1y ago | Narayana deadlock via multiple join requests sent to LRA Coordinator | |||
| CVE-2024-56512 | unknown | — | — | 1y ago | Apache NiFi: Missing Complete Authorization for Parameter and Service References | |||
| CVE-2024-12744 | unknown | — | — | 1y ago | Amazon Redshift JDBC Driver vulnerable to SQL Injection | |||
| CVE-2024-52046 | unknown | — | — | 1y ago | Apache MINA Deserialization RCE Vulnerability | |||
| CVE-2024-43441 | unknown | — | — | 2y ago | Apache HugeGraph-Server: Fixed JWT Token (Secret) | |||
| CVE-2024-23945 | unknown | — | — | 2y ago | Apache Hive and Spark: CookieSigner exposes the correct signature when message verification fails | |||
| CVE-2024-56334 | unknown | — | — | 2y ago | systeminformation is a System and OS information library for node.js. In affected versions SSIDs are not sanitized when before they are passed as a parameter to cmd.exe in the `getWindowsIEEE8021x` f… | |||
| CVE-2024-38819 | unknown | — | — | 2y ago | Spring Framework Path Traversal vulnerability | |||
| CVE-2024-12798 | unknown | — | — | 2y ago | QOS.CH logback-core Expression Language Injection vulnerability | |||
| CVE-2024-12801 | unknown | — | — | 2y ago | QOS.CH logback-core Server-Side Request Forgery vulnerability | |||
| CVE-2024-56128 | unknown | — | — | 2y ago | Apache Kafka's SCRAM implementation Incorrectly Implements Authentication Algorithm | |||
| CVE-2024-11993 | unknown | — | — | 2y ago | Liferay Portal and Liferay DXP vulnerable to Cross-site Scripting | |||
| CVE-2024-49194 | unknown | — | — | 2y ago | Databricks JDBC Driver Command Injection vulnerability | |||
| CVE-2024-12539 | unknown | — | — | 2y ago | Elasticsearch Incorrect Authorization vulnerability | |||
| CVE-2024-35230 | unknown | — | — | 2y ago | Welcome and About GeoServer pages communicate version and revision information | |||
| CVE-2024-55887 | unknown | — | — | 2y ago | Ucum-java has an XXE vulnerability in XML parsing | |||
| CVE-2024-55662 | unknown | — | — | 2y ago | XWiki allows remote code execution through the extension sheet | |||
| CVE-2024-55663 | unknown | — | — | 2y ago | XWiki Platform has an SQL injection in getdocuments.vm with sort parameter | |||
| CVE-2024-55875 | unknown | — | — | 2y ago | http4k has a potential XXE (XML External Entity Injection) vulnerability | |||
| CVE-2024-55876 | unknown | — | — | 2y ago | XWiki's scheduler in subwiki allows scheduling operations for any main wiki user | |||
| CVE-2024-55877 | unknown | — | — | 2y ago | XWiki allows remote code execution from account through macro descriptions and XWiki.XWikiSyntaxMacrosList | |||
| CVE-2024-55879 | unknown | — | — | 2y ago | XWiki allows RCE from script right in configurable sections | |||
| CVE-2024-12397 | unknown | — | — | 2y ago | io.quarkus.http/quarkus-http-core: Quarkus HTTP Cookie Smuggling | |||
| CVE-2024-45337 | unknown | — | — | 2y ago | Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerCo… | |||
| CVE-2024-53677 | unknown | — | — | 2y ago | Apache Struts file upload logic is flawed | |||
| CVE-2024-6156 | unknown | — | — | 2y ago | Mark Laing discovered that LXD's PKI mode, until version 5.21.2, could be bypassed if the client's certificate was present in the trust store. | |||
| CVE-2024-6219 | unknown | — | — | 2y ago | Mark Laing discovered in LXD's PKI mode, until version 5.21.1, that a restricted certificate could be added to the trust store with its restrictions not honoured. | |||
| CVE-2024-55565 | unknown | — | — | 2y ago | nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values. 3.3.8 is also a fixed version. | |||
| CVE-2024-54140 | unknown | — | — | 2y ago | sigstore-java has a vulnerability with bundle verification | |||
| CVE-2024-38829 | unknown | — | — | 2y ago | Spring LDAP data exposure vulnerability | |||
| CVE-2024-45106 | unknown | — | — | 2y ago | Apache Ozone: Improper authentication when generating S3 secrets | |||
| CVE-2024-53990 | unknown | — | — | 2y ago | AsyncHttpClient (AHC) library's `CookieStore` replaces explicitly defined `Cookie`s | |||
| CVE-2024-38827 | unknown | — | — | 2y ago | Spring Framework has Authorization Bypass for Case Sensitive Comparisons | |||
| CVE-2024-35371 | unknown | — | — | 2y ago | Ant-Media-Server vulnerable to Improper Output Neutralization for Logs | |||
| CVE-2024-36623 | unknown | — | — | 2y ago | moby through v25.0.3 has a Race Condition vulnerability in the streamformatter package which can be used to trigger multiple concurrent write operations resulting in data corruption or application cr… | |||
| CVE-2024-36621 | unknown | — | — | 2y ago | moby v25.0.5 is affected by a Race Condition in builder/builder-next/adapters/snapshot/layer.go. The vulnerability could be used to trigger concurrent builds that call the EnsureLayer function result… | |||
| CVE-2024-36620 | unknown | — | — | 2y ago | moby v25.0.0 - v26.0.2 is vulnerable to NULL Pointer Dereference via daemon/images/image_history.go. | |||
| CVE-2024-49203 | unknown | — | — | 2y ago | Querydsl vulnerable to HQL injection through orderBy | |||
| CVE-2024-54003 | unknown | — | — | 2y ago | Jenkins Simple Queue Plugin has stored cross-site scripting (XSS) vulnerability | |||
| CVE-2024-54004 | unknown | — | — | 2y ago | Jenkins Filesystem List Parameter Plugin has Path Traversal vulnerability | |||
| CVE-2024-53267 | unknown | — | — | 2y ago | sigstore-java has vulnerability with bundle verification | |||
| CVE-2024-10039 | unknown | — | — | 2y ago | Keycloak mTLS Authentication Bypass via Reverse Proxy TLS Termination | |||
| CVE-2024-9666 | unknown | — | — | 2y ago | Keycloak proxy header handling Denial-of-Service (DoS) vulnerability | |||
| CVE-2024-10451 | unknown | — | — | 2y ago | Keycloak Build Process Exposes Sensitive Data | |||
| CVE-2024-53916 | unknown | — | — | 2y ago | In OpenStack Neutron before 25.0.1, neutron/extensions/tagging.py can use an incorrect ID during policy enforcement. It does not apply the proper policy check for changing network tags. An unprivileg… | |||
| CVE-2024-52797 | unknown | — | — | 2y ago | Searching Opencast may cause a denial of service | |||
| CVE-2024-31141 | unknown | — | — | 2y ago | Apache Kafka Clients: Privilege escalation to filesystem read-access via automatic ConfigProvider | |||
| CVE-2024-52304 | unknown | — | — | 2y ago | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request s… | |||
| CVE-2024-52303 | unknown | — | — | 2y ago | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions starting with 3.10.6 and prior to 3.10.11, a memory leak can occur when a request produces a MatchInfoError… | |||
| CVE-2024-52506 | unknown | — | — | 2y ago | Graylog concurrent PDF report rendering can leak other users' reports | |||
| CVE-2024-52318 | unknown | — | — | 2y ago | Incorrect object recycling and reuse vulnerability in Apache Tomcat. This issue affects Apache Tomcat: 11.0.0, 10.1.31, 9.0.96. Users are recommended to upgrade to version 11.0.1, 10.1.32 or 9.0.97… | |||
| CVE-2024-8781 | unknown | — | — | 2y ago | Execution with Unnecessary Privileges, : Improper Protection of Alternate Path vulnerability in TR7 Application Security Platform (ASP) allows Privilege Escalation, -Privilege Abuse. This issue affe… | |||
| CVE-2024-52317 | unknown | — | — | 2y ago | Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between us… | |||
| CVE-2024-52316 | unknown | — | — | 2y ago | Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception dur… | |||
| CVE-2024-38828 | unknown | — | — | 2y ago | Spring MVC controller vulnerable to a DoS attack | |||
| CVE-2024-42499 | unknown | — | — | 2y ago | FitNesse Path Traversal | |||
| CVE-2024-39610 | unknown | — | — | 2y ago | FitNesse Cross-site scripting | |||
| CVE-2024-52551 | unknown | — | — | 2y ago | Restarting a run with revoked script approval allowed by Jenkins Pipeline: Declarative Plugin | |||
| CVE-2024-52549 | unknown | — | — | 2y ago | Missing permission check in Jenkins Script Security Plugin | |||
| CVE-2024-52552 | unknown | — | — | 2y ago | Stored XSS vulnerability in Jenkins Authorize Project Plugin | |||
| CVE-2024-52554 | unknown | — | — | 2y ago | Script security bypass vulnerability in Jenkins Shared Library Version Override Plugin | |||
| CVE-2024-52553 | unknown | — | — | 2y ago | Session fixation vulnerability in Jenkins OpenId Connect Authentication Plugin | |||
| CVE-2024-52550 | unknown | — | — | 2y ago | Rebuilding a run with revoked script approval allowed by Jenkins Pipeline: Groovy Plugin | |||
| CVE-2024-51996 | unknown | — | — | 2y ago | Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. When consuming a persisted remember-me cookie, Symfony does not check if the username persisted i… | |||
| CVE-2024-47535 | unknown | — | — | 2y ago | Denial of Service attack on windows app using netty |