| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2022-30597 |
|
|
|
2022-05-18 |
2022-06-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A flaw was found in moodle where the description user field was not hidden when being set as a hidden user field. |
|
2 |
CVE-2022-1949 |
863 |
|
Bypass |
2022-06-02 |
2022-06-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An access control bypass vulnerability found in 389-ds-base. That mishandling of the filter that would yield incorrect results, but as that has progressed, can be determined that it actually is an access control bypass. This may allow any remote unauthenticated user to issue a filter that allows searching for database items they do not have access to, including but not limited to potentially userPassword hashes and other sensitive data. |
|
3 |
CVE-2022-0918 |
|
|
DoS |
2022-03-16 |
2023-03-01 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A vulnerability was discovered in the 389 Directory Server that allows an unauthenticated attacker with network access to the LDAP port to cause a denial of service. The denial of service is triggered by a single message sent over a TCP connection, no bind or other authentication is required. The message triggers a segmentation fault that results in slapd crashing. |
|
4 |
CVE-2022-0853 |
401 |
|
+Info |
2022-03-11 |
2022-03-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A flaw was found in JBoss-client. The vulnerability occurs due to a memory leak on the JBoss client-side, when using UserTransaction repeatedly and leads to information leakage vulnerability. |
|
5 |
CVE-2022-0711 |
835 |
|
DoS |
2022-03-02 |
2022-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A flaw was found in the way HAProxy processed HTTP responses containing the "Set-Cookie2" header. This flaw could allow an attacker to send crafted HTTP response packets which lead to an infinite loop, eventually resulting in a denial of service condition. The highest threat from this vulnerability is availability. |
|
6 |
CVE-2021-42781 |
787 |
|
Overflow |
2022-04-18 |
2022-09-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Heap buffer overflow issues were found in Opensc before version 0.22.0 in pkcs15-oberthur.c that could potentially crash programs using the library. |
|
7 |
CVE-2021-42780 |
252 |
|
|
2022-04-18 |
2022-09-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A use after return issue was found in Opensc before version 0.22.0 in insert_pin function that could potentially crash programs using the library. |
|
8 |
CVE-2021-42779 |
416 |
|
|
2022-04-18 |
2022-09-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A heap use after free issue was found in Opensc before version 0.22.0 in sc_file_valid. |
|
9 |
CVE-2021-42778 |
415 |
|
|
2022-04-18 |
2022-09-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A heap double free issue was found in Opensc before version 0.22.0 in sc_pkcs15_free_tokeninfo. |
|
10 |
CVE-2021-41819 |
565 |
|
|
2022-01-01 |
2022-09-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby. |
|
11 |
CVE-2021-41817 |
|
|
DoS |
2022-01-01 |
2022-09-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1. |
|
12 |
CVE-2021-40153 |
22 |
|
Dir. Trav. |
2021-08-27 |
2021-10-07 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
squashfs_opendir in unsquash-1.c in Squashfs-Tools 4.5 stores the filename in the directory entry; this is then used by unsquashfs to create the new file during the unsquash. The filename is not validated for traversal outside of the destination directory, and thus allows writing to locations outside of the destination. |
|
13 |
CVE-2021-31918 |
732 |
|
|
2021-05-06 |
2022-10-25 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A flaw was found in tripleo-ansible version as shipped in Red Hat Openstack 16.1. The Ansible log file is readable to all users during stack update and creation. The highest threat from this vulnerability is to data confidentiality. |
|
14 |
CVE-2021-23214 |
89 |
|
Sql |
2022-03-04 |
2023-01-31 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption. |
|
15 |
CVE-2021-20289 |
209 |
|
|
2021-03-26 |
2022-05-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality. |
|
16 |
CVE-2021-20271 |
345 |
|
Exec Code |
2021-03-26 |
2023-02-12 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability. |
|
17 |
CVE-2021-20270 |
835 |
|
DoS |
2021-03-23 |
2021-12-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword. |
|
18 |
CVE-2021-20267 |
345 |
|
DoS |
2021-05-28 |
2022-10-07 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
None |
Partial |
|
A flaw was found in openstack-neutron's default Open vSwitch firewall rules. By sending carefully crafted packets, anyone in control of a server instance connected to the virtual switch can impersonate the IPv6 addresses of other systems on the network, resulting in denial of service or in some cases possibly interception of traffic intended for other destinations. Only deployments using the Open vSwitch driver are affected. Source: OpenStack project. Versions before openstack-neutron 15.3.3, openstack-neutron 16.3.1 and openstack-neutron 17.1.1 are affected. |
|
19 |
CVE-2021-20228 |
200 |
|
+Info |
2021-04-29 |
2022-08-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A flaw was found in the Ansible Engine 2.9.18, where sensitive info is not masked by default and is not protected by the no_log feature when using the sub-option feature of the basic.py module. This flaw allows an attacker to obtain sensitive information. The highest threat from this vulnerability is to confidentiality. |
|
20 |
CVE-2021-20222 |
79 |
|
Exec Code XSS |
2021-03-23 |
2022-10-21 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
A flaw was found in keycloak. The new account console in keycloak can allow malicious code to be executed using the referrer URL. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. |
|
21 |
CVE-2021-20220 |
444 |
|
XSS +Info |
2021-02-23 |
2022-02-22 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
A flaw was found in Undertow. A regression in the fix for CVE-2020-10687 was found. HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own. The highest threat from this vulnerability is to data confidentiality and integrity. |
|
22 |
CVE-2021-20218 |
22 |
|
Dir. Trav. |
2021-03-16 |
2021-03-25 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
A flaw was found in the fabric8 kubernetes-client in version 4.2.0 and after. This flaw allows a malicious pod/container to cause applications using the fabric8 kubernetes-client `copy` command to extract files outside the working path. The highest threat from this vulnerability is to integrity and system availability. This has been fixed in kubernetes-client-4.13.2 kubernetes-client-5.0.2 kubernetes-client-4.11.2 kubernetes-client-4.7.2 |
|
23 |
CVE-2021-20201 |
|
|
DoS |
2021-05-28 |
2022-10-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A flaw was found in spice in versions before 0.14.92. A DoS tool might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection. |
|
24 |
CVE-2021-20179 |
863 |
|
|
2021-03-15 |
2021-03-24 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
None |
|
A flaw was found in pki-core. An attacker who has successfully compromised a key could use this flaw to renew the corresponding certificate over and over again, as long as it is not explicitly revoked. The highest threat from this vulnerability is to data confidentiality and integrity. |
|
25 |
CVE-2021-4166 |
125 |
|
|
2021-12-25 |
2022-11-02 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
None |
Partial |
|
vim is vulnerable to Out-of-bounds Read |
|
26 |
CVE-2021-4091 |
415 |
|
|
2022-02-18 |
2022-12-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A double-free was found in the way 389-ds-base handles virtual attributes context in persistent searches. An attacker could send a series of search requests, forcing the server to behave unexpectedly, and crash. |
|
27 |
CVE-2021-4047 |
20 |
|
|
2022-04-11 |
2023-02-12 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The release of OpenShift 4.9.6 included four CVE fixes for the haproxy package, however the patch for CVE-2021-39242 was missing. This issue only affects Red Hat OpenShift 4.9. |
|
28 |
CVE-2021-3935 |
89 |
|
Sql |
2021-11-22 |
2022-03-16 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
When PgBouncer is configured to use "cert" authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of TLS certificate verification and encryption. This flaw affects PgBouncer versions prior to 1.16.1. |
|
29 |
CVE-2021-3814 |
862 |
|
Bypass |
2022-03-25 |
2022-04-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
It was found that 3scale's APIdocs does not validate the access token, in the case of invalid token, it uses session auth instead. This conceivably bypasses access controls and permits unauthorized information disclosure. |
|
30 |
CVE-2021-3772 |
354 |
|
|
2022-03-02 |
2023-02-12 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
A flaw was found in the Linux SCTP stack. A blind attacker may be able to kill an existing SCTP association through invalid chunks if the attacker knows the IP-addresses and port numbers being used and the attacker can send packets with spoofed IP addresses. |
|
31 |
CVE-2021-3698 |
295 |
|
|
2022-03-10 |
2022-03-14 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A flaw was found in Cockpit in versions prior to 260 in the way it handles the certificate verification performed by the System Security Services Daemon (SSSD). This flaw allows client certificates to authenticate successfully, regardless of the Certificate Revocation List (CRL) configuration or the certificate status. The highest threat from this vulnerability is to confidentiality. |
|
32 |
CVE-2021-3637 |
770 |
|
|
2021-07-09 |
2021-07-13 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A flaw was found in keycloak-model-infinispan in keycloak versions before 14.0.0 where authenticationSessions map in RootAuthenticationSessionEntity grows boundlessly which could lead to a DoS attack. |
|
33 |
CVE-2021-3610 |
125 |
|
Overflow |
2022-02-24 |
2022-03-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A heap-based buffer overflow vulnerability was found in ImageMagick in versions prior to 7.0.11-14 in ReadTIFFImage() in coders/tiff.c. This issue is due to an incorrect setting of the pixel array size, which can lead to a crash and segmentation fault. |
|
34 |
CVE-2021-3580 |
20 |
|
DoS |
2021-08-05 |
2021-11-26 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service. |
|
35 |
CVE-2021-3571 |
125 |
|
+Info |
2021-07-09 |
2022-10-07 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
None |
Partial |
|
A flaw was found in the ptp4l program of the linuxptp package. When ptp4l is operating on a little-endian architecture as a PTP transparent clock, a remote attacker could send a crafted one-step sync message to cause an information leak or crash. The highest threat from this vulnerability is to data confidentiality and system availability. This flaw affects linuxptp versions before 3.1.1 and before 2.0.1. |
|
36 |
CVE-2021-3531 |
617 |
|
DoS |
2021-05-18 |
2022-10-27 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A flaw was found in the Red Hat Ceph Storage RGW in versions before 14.2.21. When processing a GET Request for a swift URL that ends with two slashes it can cause the rgw to crash, resulting in a denial of service. The greatest threat to the system is of availability. |
|
37 |
CVE-2021-3504 |
125 |
|
|
2021-05-11 |
2021-06-21 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
None |
Partial |
|
A flaw was found in the hivex library in versions before 1.3.20. It is caused due to a lack of bounds check within the hivex_open function. An attacker could input a specially crafted Windows Registry (hive) file which would cause hivex to read memory beyond its normal bounds or cause the program to crash. The highest threat from this vulnerability is to system availability. |
|
38 |
CVE-2021-3445 |
347 |
|
Exec Code |
2021-05-19 |
2022-02-24 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
A flaw was found in libdnf's signature verification functionality in versions before 0.60.1. This flaw allows an attacker to achieve code execution if they can alter the header information of an RPM package and then trick a user or system into installing it. The highest risk of this vulnerability is to confidentiality, integrity, as well as system availability. |
|
39 |
CVE-2021-3424 |
|
|
|
2021-06-01 |
2022-04-25 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
A flaw was found in keycloak as shipped in Red Hat Single Sign-On 7.4 where IDN homograph attacks are possible. A malicious user can register himself with a name already registered and trick admin to grant him extra privileges. |
|
40 |
CVE-2021-3412 |
307 |
|
Bypass |
2021-06-01 |
2022-06-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
It was found that all versions of 3Scale developer portal lacked brute force protections. An attacker could use this gap to bypass login controls, and access privileged information, or possibly conduct further attacks. |
|
41 |
CVE-2020-36332 |
400 |
|
|
2021-05-21 |
2022-09-20 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A flaw was found in libwebp in versions before 1.0.1. When reading a file libwebp allocates an excessive amount of memory. The highest threat from this vulnerability is to the service availability. |
|
42 |
CVE-2020-35518 |
203 |
|
|
2021-03-26 |
2022-08-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
When binding against a DN during authentication, the reply from 389-ds-base will be different whether the DN exists or not. This can be used by an unauthenticated attacker to check the existence of an entry in the LDAP database. |
|
43 |
CVE-2020-29573 |
787 |
|
Overflow |
2020-12-06 |
2021-01-26 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
sysdeps/i386/ldbl2mpn.c in the GNU C Library (aka glibc or libc6) before 2.23 on x86 targets has a stack-based buffer overflow if the input to any of the printf family of functions is an 80-bit long double with a non-canonical bit pattern, as seen when passing a \x00\x04\x00\x00\x00\x00\x00\x00\x00\x04 value to sprintf. NOTE: the issue does not affect glibc by default in 2016 or later (i.e., 2.23 or later) because of commits made in 2015 for inlining of C99 math functions through use of GCC built-ins. In other words, the reference to 2.23 is intentional despite the mention of "Fixed for glibc 2.33" in the 26649 reference. |
|
44 |
CVE-2020-27825 |
362 |
|
DoS +Info |
2020-12-11 |
2022-09-02 |
5.4 |
None |
Local |
Medium |
Not required |
Partial |
None |
Complete |
|
A use-after-free flaw was found in kernel/trace/ring_buffer.c in Linux kernel (before 5.10-rc1). There was a race problem in trace_open and resize of cpu buffer running parallely on different cpus, may cause a denial of service problem (DOS). This flaw could even allow a local attacker with special user privilege to a kernel information leak threat. |
|
45 |
CVE-2020-27816 |
601 |
|
|
2020-12-02 |
2020-12-04 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The elasticsearch-operator does not validate the namespace where kibana logging resource is created and due to that it is possible to replace the original openshift-logging console link (kibana console) to different one, created based on the new CR for the new kibana resource. This could lead to an arbitrary URL redirection or the openshift-logging console link damage. This flaw affects elasticsearch-operator-container versions before 4.7. |
|
46 |
CVE-2020-27778 |
824 |
|
DoS |
2020-12-03 |
2022-09-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A flaw was found in Poppler in the way certain PDF files were converted into HTML. A remote attacker could exploit this flaw by providing a malicious PDF file that, when processed by the 'pdftohtml' program, would crash the application causing a denial of service. |
|
47 |
CVE-2020-25716 |
|
|
|
2021-06-07 |
2022-10-21 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
None |
|
A flaw was found in Cloudforms. A role-based privileges escalation flaw where export or import of administrator files is possible. An attacker with a specific group can perform actions restricted only to system administrator. This is the affect of an incomplete fix for CVE-2020-10783. The highest threat from this vulnerability is to data confidentiality and integrity. Versions before cfme 5.11.10.1 are affected |
|
48 |
CVE-2020-25710 |
617 |
|
|
2021-05-28 |
2021-09-14 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A flaw was found in OpenLDAP in versions before 2.4.56. This flaw allows an attacker who sends a malicious packet processed by OpenLDAP to force a failed assertion in csnNormalize23(). The highest threat from this vulnerability is to system availability. |
|
49 |
CVE-2020-25709 |
617 |
|
|
2021-05-18 |
2021-09-14 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A flaw was found in OpenLDAP. This flaw allows an attacker who can send a malicious packet to be processed by OpenLDAP’s slapd server, to trigger an assertion failure. The highest threat from this vulnerability is to system availability. |
|
50 |
CVE-2020-25708 |
369 |
|
DoS |
2020-11-27 |
2022-10-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
A divide by zero issue was found to occur in libvncserver-0.9.12. A malicious client could use this flaw to send a specially crafted message that, when processed by the VNC server, would lead to a floating point exception, resulting in a denial of service. |
