CVE-2022-22968

<= 8.0.29

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on

5.3MEDIUM

CVE-2022-22965

< 8.0.29

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. Th

9.8CRITICAL

CVE-2022-22963

<= 8.0.29

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for

9.8CRITICAL

CVE-2022-21824

<= 8.0.29

Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "

8.2HIGH

CVE-2021-44533

<= 8.0.29

Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers

5.3MEDIUM

CVE-2021-44532

<= 8.0.29

Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this s

5.3MEDIUM

CVE-2021-44531

<= 8.0.29

Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can r

7.4HIGH

CVE-2022-23181

<= 8.0.29

The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.

7.0HIGH

CVE-2022-23307

<= 8.0.29

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a compon

8.8HIGH

CVE-2022-23305

<= 8.0.29

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted a

9.8CRITICAL

CVE-2022-23302

<= 8.0.29

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the

8.8HIGH

CVE-2021-45105

<= 8.0.29

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from sel

5.9MEDIUM

CVE-2021-4104

<= 8.0.29

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j config

7.5HIGH

CVE-2021-41183

<= 8.0.29

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various *Text options o

6.5MEDIUM

CVE-2021-41182

<= 8.0.29

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the altField option of

6.5MEDIUM

CVE-2021-3712

<= 8.0.25

ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string dat

7.4HIGH

CVE-2021-3711

<= 8.0.25

In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an applic

9.8CRITICAL

CVE-2021-33037

<= 8.0.25

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding reque

5.3MEDIUM

CVE-2021-22118

<= 8.0.25

In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a pr

7.8HIGH

CVE-2021-3450

<= 8.0.23

The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not

7.4HIGH

CVE-2021-25329

<= 8.0.23

The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0

7.0HIGH

CVE-2021-25122

<= 8.0.23

When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61

7.5HIGH

CVE-2021-22112

<= 8.0.25

Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions c

8.8HIGH

CVE-2021-23841

< 8.0.23

The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and seria

5.9MEDIUM

CVE-2020-17530

all versions

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software :

9.8CRITICAL

CVE-2020-17527

< 8.0.23

While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59

7.5HIGH

CVE-2020-26237

<= 8.0.30

Highlight.js is a syntax highlighter written in JavaScript. Highlight.js versions before 9.18.2 and 10.1.2 are vulnerable to Proto

5.8MEDIUM

CVE-2020-5421

<= 8.0.22

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the pr

6.5MEDIUM

CVE-2019-0233

<= 8.0.23

An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload.

7.5HIGH

CVE-2019-0230

<= 8.0.23

Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remot

9.8CRITICAL

CVE-2020-13935

<= 8.0.21

The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8

7.5HIGH

CVE-2020-13934

<= 8.0.21

An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/

7.5HIGH

CVE-2020-11996

<= 8.0.21

A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.

7.5HIGH

CVE-2020-9484

<= 8.0.21

When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attack

7.0HIGH

CVE-2020-1967

<= 4.0.12

Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL

7.5HIGH

CVE-2020-1938

<= 4.0.12

When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats

9.8CRITICAL

CVE-2020-1935

>= 4.0.0 and <= 4.0.12

In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-l

4.8MEDIUM

CVE-2019-17569

<= 4.0.12

The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The resu

4.8MEDIUM

CVE-2020-5397

>= 4.0.0 and <= 4.0.12

Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring

5.3MEDIUM

CVE-2019-17563

<= 4.0.11.5331

When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow windo

7.5HIGH

CVE-2019-17571

<= 8.0.29

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to re

9.8CRITICAL

CVE-2019-1551

<= 4.0.12

There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms

5.3MEDIUM

CVE-2019-1559

<= 4.0.8

If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to

5.9MEDIUM

CVE-2018-15756

<= 4.0.12

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on t

7.5HIGH

CVE-2018-11776

<= 3.4.9.4237

Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace i

8.1HIGH

CVE-2018-11040

<= 3.4.9.4237

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications

7.5HIGH

CVE-2018-11039

<= 3.4.9.4237

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applica

5.9MEDIUM

CVE-2018-1258

<= 8.0.2.8191

Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when

8.8HIGH

CVE-2017-10424

all versions

Vulnerability in the MySQL Enterprise Monitor component of Oracle MySQL (subcomponent: Monitoring: Web). Supported versions that a

8.8HIGH

CVE-2017-12617

<= 3.3.6.3293

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs ena

8.1HIGH

CVE-2017-3307

>= 3.1.0 and <= 3.1.6.8003

Vulnerability in the MySQL Enterprise Monitor component of Oracle MySQL (subcomponent: Monitoring: Server). Supported versions tha

3.1LOW

CVE-2017-3306

>= 3.1.0 and <= 3.1.6.8003

Vulnerability in the MySQL Enterprise Monitor component of Oracle MySQL (subcomponent: Monitoring: Server). Supported versions tha

8.3HIGH

CVE-2017-5645

>= 3.4.0.0 and <= 3.4.7.4297

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from anot

9.8CRITICAL

CVE-2016-8735

<= 3.2.8.2223

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and

9.8CRITICAL

CVE-2016-5590

<= 3.1.3.7856

Vulnerability in the MySQL Enterprise Monitor component of Oracle MySQL (subcomponent: Monitoring: Agent). Supported versions that

7.2HIGH

CVE-2016-3461

all versions

Unspecified vulnerability in the MySQL Enterprise Monitor component in Oracle MySQL 3.0.25 and earlier and 3.1.2 and earlier allow

7.2HIGH

CVE-2015-3144

<= 2.3.20

The fix_hostname function in cURL and libcurl 7.37.0 through 7.41.0 does not properly calculate an index, which allows remote atta

CVE-2013-4316

<= 2.3.14

Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.