Max CVSS 7.5 Min CVSS 4.0 Total Count2
IDCVSSSummaryLast (major) updatePublished
CVE-2020-27216 4.4
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can obser
16-04-2021 - 06:15 23-10-2020 - 13:15
CVE-2019-20444 6.4
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
06-04-2021 - 12:15 29-01-2020 - 21:15
CVE-2019-20445 6.4
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
06-04-2021 - 12:15 29-01-2020 - 21:15
CVE-2019-17571 7.5
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic fo
01-04-2021 - 19:25 20-12-2019 - 17:15
CVE-2019-16869 5.0
Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
30-03-2021 - 14:14 26-09-2019 - 16:15
CVE-2018-8088 7.5
org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data.
29-03-2021 - 03:15 20-03-2018 - 16:29
CVE-2020-13956 5.0
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
24-03-2021 - 19:05 02-12-2020 - 17:15
CVE-2019-17640 7.5
In Eclipse Vert.x 3.4.x up to 3.9.4, 4.0.0.milestone1, 4.0.0.milestone2, 4.0.0.milestone3, 4.0.0.milestone4, 4.0.0.milestone5, 4.0.0.Beta1, 4.0.0.Beta2, and 4.0.0.Beta3, StaticHandler doesn't correctly processes back slashes on Windows Operating syst
24-03-2021 - 14:15 15-10-2020 - 21:15
CVE-2020-9488 4.3
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.
15-03-2021 - 22:16 27-04-2020 - 16:15
CVE-2020-27218 5.8
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if a
10-03-2021 - 16:15 28-11-2020 - 01:15
CVE-2016-2402 4.3
OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate.
01-02-2021 - 21:28 30-01-2017 - 22:59
CVE-2017-1000487 7.5
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
28-01-2021 - 18:11 03-01-2018 - 20:29
CVE-2019-17638 7.5
In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to
27-01-2021 - 21:15 09-07-2020 - 18:15
CVE-2019-8331 4.3
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
23-12-2020 - 19:14 20-02-2019 - 16:29
CVE-2019-3564 5.0
Go Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to parse, potentially leading to denial
16-12-2020 - 06:15 06-05-2019 - 16:29
CVE-2019-3559 5.0
Java Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to parse, potentially leading to deni
16-12-2020 - 06:15 06-05-2019 - 16:29
CVE-2018-20676 4.3
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
16-12-2020 - 06:15 09-01-2019 - 05:29
CVE-2018-20677 4.3
In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.
16-12-2020 - 06:15 09-01-2019 - 05:29
CVE-2018-20200 4.3
** DISPUTED ** CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application. NOTE: This id is disputed because some pa
16-12-2020 - 06:15 18-04-2019 - 19:29
CVE-2019-3565 5.0
Legacy C++ Facebook Thrift servers (using cpp instead of cpp2) would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to
16-12-2020 - 06:15 06-05-2019 - 16:29
CVE-2019-3558 5.0
Python Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to parse, potentially leading to de
16-12-2020 - 06:15 06-05-2019 - 16:29
CVE-2019-3552 5.0
C++ Facebook Thrift servers (using cpp2) would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to parse, potentially lea
16-12-2020 - 06:15 06-05-2019 - 16:29
CVE-2018-14042 4.3
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
16-12-2020 - 06:15 13-07-2018 - 14:29
CVE-2018-14040 4.3
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
16-12-2020 - 06:15 13-07-2018 - 14:29
CVE-2013-7398 4.3
main/java/com/ning/http/client/AsyncHttpClientConfig.java in Async Http Client (aka AHC or async-http-client) before 1.9.0 does not require a hostname match during verification of X.509 certificates, which allows man-in-the-middle attackers to spoof
16-12-2020 - 06:15 24-06-2015 - 16:59
CVE-2018-12544 7.5
In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Eclipse Vert.x OpenAPI XML type
16-12-2020 - 06:15 10-10-2018 - 20:29
CVE-2013-7397 4.3
Async Http Client (aka AHC or async-http-client) before 1.9.0 skips X.509 certificate verification unless both a keyStore location and a trustStore location are explicitly set, which allows man-in-the-middle attackers to spoof HTTPS servers by presen
16-12-2020 - 06:15 24-06-2015 - 16:59
CVE-2018-12542 7.5
In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the StaticHandler uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\' (forward slashes) sequences that can resolve to a lo
16-12-2020 - 06:15 10-10-2018 - 20:29
CVE-2018-12541 4.0
In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the WebSocket HTTP upgrade implementation buffers the full http request before doing the handshake, holding the entire request body in memory. There should be a reasonnable limit (8192 bytes) above wh
16-12-2020 - 06:15 10-10-2018 - 20:29
CVE-2018-12636 6.5
The iThemes Security (better-wp-security) plugin before 7.0.3 for WordPress allows SQL Injection (by attackers with Admin privileges) via the logs page.
16-12-2020 - 06:15 22-06-2018 - 16:29
CVE-2018-11747 7.5
Previously, Puppet Discovery was shipped with a default generated TLS certificate in the nginx container. In version 1.4.0, a unique certificate will be generated on installation or the user will be able to provide their own TLS certificate for ingre
16-12-2020 - 06:15 21-03-2019 - 16:00
CVE-2018-11746 5.0
In Puppet Discovery prior to 1.2.0, when running Discovery against Windows hosts, WinRM connections can fall back to using basic auth over insecure channels if a HTTPS server is not available. This can expose the login credentials being used by Puppe
16-12-2020 - 06:15 03-07-2018 - 13:29
CVE-2017-14063 5.0
Async Http Client (aka async-http-client) before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL (CVE
16-12-2020 - 06:15 31-08-2017 - 16:29
CVE-2019-17638 7.5
In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to
30-09-2020 - 18:15 09-07-2020 - 18:15
CVE-2019-20444 6.4
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
25-09-2020 - 20:15 29-01-2020 - 21:15
CVE-2019-20445 6.4
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
25-09-2020 - 20:15 29-01-2020 - 21:15
CVE-2017-14063 5.0
Async Http Client (aka async-http-client) before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL (CVE
25-09-2020 - 15:15 31-08-2017 - 16:29
CVE-2019-16869 5.0
Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
25-09-2020 - 00:15 26-09-2019 - 16:15
Back to Top Mark selected
Back to Top