| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
22151 |
CVE-2014-0296 |
310 |
|
+Info |
2014-06-11 |
2019-05-15 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
The Remote Desktop Protocol (RDP) implementation in Microsoft Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 does not properly encrypt sessions, which makes it easier for man-in-the-middle attackers to obtain sensitive information by sniffing the network or modify session content by sending crafted RDP packets, aka "RDP MAC Vulnerability." |
|
22152 |
CVE-2014-0256 |
20 |
|
DoS |
2014-05-14 |
2018-10-12 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Microsoft Windows Server 2008 SP2 and R2 SP1 and Server 2012 Gold allow remote attackers to cause a denial of service (iSCSI service outage) by sending many crafted packets, aka "iSCSI Target Remote Denial of Service Vulnerability." |
|
22153 |
CVE-2014-0255 |
20 |
|
DoS |
2014-05-14 |
2019-05-08 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Microsoft Windows Server 2008 SP2 and R2 SP1 and Server 2012 Gold and R2 allow remote attackers to cause a denial of service (iSCSI service outage) by sending many crafted packets, aka "iSCSI Target Remote Denial of Service Vulnerability." |
|
22154 |
CVE-2014-0253 |
20 |
|
DoS |
2014-02-12 |
2018-10-12 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.5, 3.5.1, 4, 4.5, and 4.5.1 does not properly determine TCP connection states, which allows remote attackers to cause a denial of service (ASP.NET daemon hang) via crafted HTTP requests that trigger persistent resource consumption for a (1) stale or (2) closed connection, as exploited in the wild in February 2014, aka "POST Request DoS Vulnerability." |
|
22155 |
CVE-2014-0239 |
20 |
|
DoS |
2014-05-28 |
2017-01-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The internal DNS server in Samba 4.x before 4.0.18 does not check the QR field in the header section of an incoming DNS message before sending a response, which allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged response packet that triggers a communication loop, a related issue to CVE-1999-0103. |
|
22156 |
CVE-2014-0238 |
119 |
|
DoS Overflow |
2014-06-01 |
2017-01-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The cdf_read_property_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (infinite loop or out-of-bounds memory access) via a vector that (1) has zero length or (2) is too long. |
|
22157 |
CVE-2014-0237 |
399 |
|
DoS |
2014-06-01 |
2017-01-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The cdf_unpack_summary_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (performance degradation) by triggering many file_printf calls. |
|
22158 |
CVE-2014-0236 |
|
|
DoS |
2016-05-16 |
2016-05-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
file before 5.18, as used in the Fileinfo component in PHP before 5.6.0, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a zero root_storage value in a CDF file, related to cdf.c and readcdf.c. |
|
22159 |
CVE-2014-0231 |
399 |
|
DoS |
2014-07-20 |
2021-06-06 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The mod_cgid module in the Apache HTTP Server before 2.4.10 does not have a timeout mechanism, which allows remote attackers to cause a denial of service (process hang) via a request to a CGI script that does not read from its stdin file descriptor. |
|
22160 |
CVE-2014-0224 |
326 |
|
+Info |
2014-06-05 |
2022-08-16 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability. |
|
22161 |
CVE-2014-0216 |
264 |
|
+Info |
2014-05-27 |
2020-12-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The My Home implementation in the block_html_pluginfile function in blocks/html/lib.php in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 does not properly restrict file access, which allows remote attackers to obtain sensitive information by visiting an HTML block. |
|
22162 |
CVE-2014-0212 |
400 |
|
|
2019-12-13 |
2019-12-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
qpid-cpp: ACL policies only loaded if the acl-file option specified enabling DoS by consuming all available file descriptors |
|
22163 |
CVE-2014-0193 |
399 |
|
DoS |
2014-05-06 |
2019-09-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
WebSocket08FrameDecoder in Netty 3.6.x before 3.6.9, 3.7.x before 3.7.1, 3.8.x before 3.8.2, 3.9.x before 3.9.1, and 4.0.x before 4.0.19 allows remote attackers to cause a denial of service (memory consumption) via a TextWebSocketFrame followed by a long stream of ContinuationWebSocketFrames. |
|
22164 |
CVE-2014-0192 |
264 |
|
+Info |
2014-05-08 |
2014-05-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Foreman 1.4.0 before 1.5.0 does not properly restrict access to provisioning template previews, which allows remote attackers to obtain sensitive information via the hostname parameter, related to "spoof." |
|
22165 |
CVE-2014-0186 |
|
|
DoS |
2014-06-14 |
2014-06-16 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A certain tomcat7 package for Apache Tomcat 7 in Red Hat Enterprise Linux (RHEL) 7 allows remote attackers to cause a denial of service (CPU consumption) via a crafted request. NOTE: this vulnerability exists because of an unspecified regression. |
|
22166 |
CVE-2014-0180 |
399 |
|
DoS |
2014-07-07 |
2014-07-08 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The wait_for_task function in app/controllers/application_controller.rb in Red Hat CloudForms 3.0 Management Engine (CFME) before 5.2.4.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via unspecified vectors. |
|
22167 |
CVE-2014-0173 |
264 |
|
Bypass |
2014-04-22 |
2017-08-29 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The Jetpack plugin before 1.9 before 1.9.4, 2.0.x before 2.0.9, 2.1.x before 2.1.4, 2.2.x before 2.2.7, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.2, 2.6.x before 2.6.3, 2.7.x before 2.7.2, 2.8.x before 2.8.2, and 2.9.x before 2.9.3 for WordPress does not properly restrict access to the XML-RPC service, which allows remote attackers to bypass intended restrictions and publish posts via unspecified vectors. NOTE: some of these details are obtained from third party information. |
|
22168 |
CVE-2014-0171 |
|
|
|
2015-01-15 |
2020-03-26 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
XML external entity (XXE) vulnerability in StaxXMLFactoryProvider2 in Odata4j, as used in Red Hat JBoss Data Virtualization before 6.0.0 patch 4, allows remote attackers to read arbitrary files via a crafted request to a REST endpoint. |
|
22169 |
CVE-2014-0160 |
119 |
2
|
Overflow +Info |
2014-04-07 |
2020-07-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug. |
|
22170 |
CVE-2014-0159 |
119 |
|
DoS Overflow |
2014-04-14 |
2016-08-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Buffer overflow in the GetStatistics64 remote procedure call (RPC) in OpenAFS 1.4.8 before 1.6.7 allows remote attackers to cause a denial of service (crash) via a crafted statsVersion argument. |
|
22171 |
CVE-2014-0155 |
20 |
|
DoS |
2014-04-14 |
2020-08-26 |
5.5 |
None |
Local Network |
Low |
??? |
None |
None |
Complete |
|
The ioapic_deliver function in virt/kvm/ioapic.c in the Linux kernel through 3.14.1 does not properly validate the kvm_irq_delivery_to_apic return value, which allows guest OS users to cause a denial of service (host OS crash) via a crafted entry in the redirection table of an I/O APIC. NOTE: the affected code was moved to the ioapic_service function before the vulnerability was announced. |
|
22172 |
CVE-2014-0154 |
200 |
|
+Info |
2015-02-13 |
2015-02-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
oVirt Engine before 3.5.0 does not include the HTTPOnly flag in a Set-Cookie header for the session IDs, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. |
|
22173 |
CVE-2014-0139 |
310 |
|
|
2014-04-15 |
2017-12-16 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
cURL and libcurl 7.1 before 7.36.0, when using the OpenSSL, axtls, qsossl or gskit libraries for TLS, recognize a wildcard IP address in the subject's Common Name (CN) field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. |
|
22174 |
CVE-2014-0136 |
20 |
|
|
2014-10-27 |
2015-01-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The (1) get and (2) log methods in the AgentController in Red Hat CloudForms 3.0 Management Engine (CFME) 5.x allow remote attackers to insert arbitrary text into log files via unspecified vectors. |
|
22175 |
CVE-2014-0128 |
20 |
|
DoS |
2014-04-14 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Squid 3.1 before 3.3.12 and 3.4 before 3.4.4, when SSL-Bump is enabled, allows remote attackers to cause a denial of service (assertion failure) via a crafted range request, related to state management. |
|
22176 |
CVE-2014-0125 |
264 |
|
Bypass |
2014-03-24 |
2020-12-01 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
repository/alfresco/lib.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 places a session key in a URL, which allows remote attackers to bypass intended Alfresco Repository file restrictions by impersonating a file's owner. |
|
22177 |
CVE-2014-0116 |
264 |
|
|
2014-05-08 |
2019-08-12 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113. |
|
22178 |
CVE-2014-0102 |
310 |
|
DoS |
2014-03-11 |
2020-08-27 |
5.2 |
None |
Local Network |
Medium |
??? |
None |
None |
Complete |
|
The keyring_detect_cycle_iterator function in security/keys/keyring.c in the Linux kernel through 3.13.6 does not properly determine whether keyrings are identical, which allows local users to cause a denial of service (OOPS) via crafted keyctl commands. |
|
22179 |
CVE-2014-0098 |
20 |
|
DoS |
2014-03-18 |
2021-06-06 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server before 2.4.8 allows remote attackers to cause a denial of service (segmentation fault and daemon crash) via a crafted cookie that is not properly handled during truncation. |
|
22180 |
CVE-2014-0095 |
20 |
|
DoS |
2014-05-31 |
2017-11-15 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
java/org/apache/coyote/ajp/AbstractAjpProcessor.java in Apache Tomcat 8.x before 8.0.4 allows remote attackers to cause a denial of service (thread consumption) by using a "Content-Length: 0" AJP request to trigger a hang in request processing. |
|
22181 |
CVE-2014-0094 |
|
|
|
2014-03-11 |
2019-08-12 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method. |
|
22182 |
CVE-2014-0093 |
264 |
|
Bypass |
2014-04-03 |
2017-01-07 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Red Hat JBoss Enterprise Application Platform (JBEAP) 6.2.2, when using a Java Security Manager (JSM), does not properly apply permissions defined by a policy file, which causes applications to be granted the java.security.AllPermission permission and allows remote attackers to bypass intended access restrictions. |
|
22183 |
CVE-2014-0092 |
310 |
|
|
2014-03-07 |
2016-11-28 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
lib/x509/verify.c in GnuTLS before 3.1.22 and 3.2.x before 3.2.12 does not properly handle unspecified errors when verifying X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers via a crafted certificate. |
|
22184 |
CVE-2014-0091 |
20 |
|
DoS |
2019-12-11 |
2019-12-16 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Foreman has improper input validation which could lead to partial Denial of Service |
|
22185 |
CVE-2014-0082 |
20 |
|
DoS |
2014-02-20 |
2019-08-08 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the :text option to the render method, which allows remote attackers to cause a denial of service (memory consumption) by including these strings in headers. |
|
22186 |
CVE-2014-0079 |
20 |
|
DoS |
2014-04-28 |
2014-04-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The ValidateUserLogon function in provider/libserver/ECSession.cpp in Zarafa 7.1.8, 6.20.0, and earlier, when using certain build conditions, allows remote attackers to cause a denial of service (crash) via vectors related to "a NULL pointer of the password." |
|
22187 |
CVE-2014-0077 |
787 |
|
DoS +Priv Mem. Corr. |
2014-04-14 |
2020-08-19 |
5.5 |
None |
Local Network |
High |
??? |
Partial |
Partial |
Complete |
|
drivers/vhost/net.c in the Linux kernel before 3.13.10, when mergeable buffers are disabled, does not properly validate packet lengths, which allows guest OS users to cause a denial of service (memory corruption and host OS crash) or possibly gain privileges on the host OS via crafted packets, related to the handle_rx and get_rx_bufs functions. |
|
22188 |
CVE-2014-0075 |
189 |
|
DoS Overflow |
2014-05-31 |
2019-04-15 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 allows remote attackers to cause a denial of service (resource consumption) via a malformed chunk size in chunked transfer coding of a request during the streaming of data. |
|
22189 |
CVE-2014-0072 |
20 |
|
|
2017-10-30 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
ios/CDVFileTransfer.m in the Apache Cordova File-Transfer standalone plugin (org.apache.cordova.file-transfer) before 0.4.2 for iOS and the File-Transfer plugin for iOS from Cordova 2.4.0 through 2.9.0 might allow remote attackers to spoof SSL servers by leveraging a default value of true for the trustAllHosts option. |
|
22190 |
CVE-2014-0055 |
|
|
DoS |
2014-03-26 |
2019-04-22 |
5.5 |
None |
Local Network |
Low |
??? |
None |
None |
Complete |
|
The get_rx_bufs function in drivers/vhost/net.c in the vhost-net subsystem in the Linux kernel package before 2.6.32-431.11.2 on Red Hat Enterprise Linux (RHEL) 6 does not properly handle vhost_get_vq_desc errors, which allows guest OS users to cause a denial of service (host OS crash) via unspecified vectors. |
|
22191 |
CVE-2014-0053 |
264 |
|
Dir. Trav. +Info |
2014-04-15 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The default configuration of the Resources plugin 1.0.0 before 1.2.6 for Pivotal Grails 2.0.0 before 2.3.6 does not properly restrict access to files in the WEB-INF directory, which allows remote attackers to obtain sensitive information via a direct request. NOTE: this identifier has been SPLIT due to different researchers and different vulnerability types. See CVE-2014-2857 for the META-INF variant and CVE-2014-2858 for the directory traversal. |
|
22192 |
CVE-2014-0044 |
119 |
|
DoS Overflow |
2014-02-08 |
2014-03-06 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The opus_packet_get_samples_per_frame function in client in Mumble 1.2.4 and the 1.2.3 pre-release snapshots allows remote attackers to cause a denial of service (crash) via a crafted length prefix value, which triggers a NULL pointer dereference or a heap-based buffer over-read (aka "out-of-bounds array access"). |
|
22193 |
CVE-2014-0043 |
200 |
|
+Info |
2017-10-03 |
2017-10-11 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls handled by Wicket, it is possible to check for the existence of particular classes in the classpath and thus check whether a third party library with a known security vulnerability is in use. |
|
22194 |
CVE-2014-0037 |
20 |
|
DoS |
2014-04-28 |
2014-04-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The ValidateUserLogon function in provider/libserver/ECSession.cpp in Zarafa 5.00 before 7.1.8 beta2 allows remote attackers to cause a denial of service (crash) via vectors related to "a NULL pointer of the username." |
|
22195 |
CVE-2014-0022 |
20 |
|
Bypass |
2014-01-26 |
2014-01-27 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The installUpdates function in yum-cron/yum-cron.py in yum 3.4.3 and earlier does not properly check the return value of the sigCheckPkg function, which allows remote attackers to bypass the RMP package signing restriction via an unsigned package. |
|
22196 |
CVE-2014-0021 |
|
|
|
2019-11-15 |
2019-12-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Chrony before 1.29.1 has traffic amplification in cmdmon protocol |
|
22197 |
CVE-2014-0020 |
20 |
|
DoS |
2014-02-06 |
2014-03-16 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The IRC protocol plugin in libpurple in Pidgin before 2.10.8 does not validate argument counts, which allows remote IRC servers to cause a denial of service (application crash) via a crafted message. |
|
22198 |
CVE-2014-0009 |
264 |
|
|
2014-01-20 |
2020-12-01 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
None |
|
course/loginas.php in Moodle through 2.2.11, 2.3.x before 2.3.11, 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 does not enforce the moodle/site:accessallgroups capability requirement for outside-group users in a SEPARATEGROUPS configuration, which allows remote authenticated users to perform "login as" actions via a direct request. |
|
22199 |
CVE-2013-20001 |
|
|
|
2021-02-12 |
2021-02-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An issue was discovered in OpenZFS through 2.0.3. When an NFS share is exported to IPv6 addresses via the sharenfs feature, there is a silent failure to parse the IPv6 address data, and access is allowed to everyone. IPv6 restrictions from the configuration are not applied. |
|
22200 |
CVE-2013-10004 |
307 |
|
|
2022-05-24 |
2022-06-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A vulnerability classified as critical was found in Telecommunication Software SAMwin Contact Center Suite 5.1. This vulnerability affects the function passwordScramble in the library SAMwinLIBVB.dll of the component Password Handler. Incorrect implementation of a hashing function leads to predictable authentication possibilities. Upgrading to version 6.2 is able to address this issue. It is recommended to upgrade the affected component. |
