Follow Security Vulnerabilities
in your software stack

It's easy to miss out on a security vulnerability announcements, and hard to filter through all the noise.

Use StackWatch to create a software stack (a list of software you use), then get a weekly email with security vulnerabilities that have been published for software within your stack.

Just click a Watch button to get started.

subscriber

Most Vulnerabilities most CVEs per product since 2018


Debian Linux 4265 vulnerabilities
OS

Canonical Ubuntu Linux 2995 vulnerabilities
Linux Operating System

Fedora Project Fedora 2743 vulnerabilities

Google Android 2342 vulnerabilities
Mobile operating system

Microsoft Windows 10 2251 vulnerabilities

Microsoft Windows Server 2016 2238 vulnerabilities

Microsoft Windows Server 2019 1969 vulnerabilities

Microsoft Windows Server 2012 1461 vulnerabilities

Microsoft Windows 8.1 1391 vulnerabilities

Google Chrome 1324 vulnerabilities
Web browser

Microsoft Windows Rt 8 1 1298 vulnerabilities

Microsoft Windows Server 2008 1289 vulnerabilities

Microsoft Windows 7 1268 vulnerabilities

Linux Kernel 1152 vulnerabilities

Apple iOS 1152 vulnerabilities
The iOS Operating System used by iPhones.

Red Hat Enterprise Linux Server 1058 vulnerabilities
RedHat Enterprise Linux (RHEL) Server. Includes software bundeled with RHEL server.

OpenSuse Leap 1042 vulnerabilities

Red Hat Enterprise Linux Workstation 1039 vulnerabilities
RedHat Enterprise Linux (RHEL) Workstation. Includes software bundled with RHEL Workstation.

Red Hat Enterprise Linux Desktop 1024 vulnerabilities
RedHat Enterprise Linux (RHEL) Desktop. Includes software bundled with RHEL desktop

Apple Mac OSX 987 vulnerabilities
Macintosh Operating System

See More

Popular Vendors

Adobe Microsoft Apache NGINX Google Apple Linux PHP OpenSSL Ruby on Rails PostgreSQL jQuery nodejs MongoDB Docker Jenkins HashiCorp Ruby Programming Language Laravel Elastic Zoom NVIDIA

See More

Popular Products

Internet Information Server (IIS) Tomcat Java Runtime Environment (JRE) Chrome Firefox iOS MySQL Safari SQL Server Windows Server 2019 Kubernetes React Watch OS Photoshop CC Redis Caddy Web Server GitLab Go

See More

Recent Vulnerabilities

NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape

CVE-2022-28189 5.5 - Medium - May 17, 2022

NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where a NULL pointer dereference may lead to a system crash.

CVE-2022-28189 can be exploited with local system access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 1.8 out of four. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

NULL Pointer Dereference

NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where improper input validation

CVE-2022-28190 5.5 - Medium - May 17, 2022

NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where improper input validation can cause denial of service.

CVE-2022-28190 is exploitable with local system access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 1.8 out of four. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Improper Input Validation

A remote bypass security restrictions vulnerability was discovered in HPE OneView version(s): Prior to 7.0

CVE-2022-28617 9.8 - Critical - May 17, 2022

A remote bypass security restrictions vulnerability was discovered in HPE OneView version(s): Prior to 7.0. HPE has provided a software update to resolve this vulnerability in HPE OneView.

CVE-2022-28617 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

authentification

A remote cross-site scripting (xss) vulnerability was discovered in HPE OneView version(s): Prior to 7.0

CVE-2022-23706 6.1 - Medium - May 17, 2022

A remote cross-site scripting (xss) vulnerability was discovered in HPE OneView version(s): Prior to 7.0. HPE has provided a software update to resolve this vulnerability in HPE OneView.

CVE-2022-23706 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

XSS

A remote authenticated stored cross-site scripting (xss) vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below

CVE-2022-23674 5.4 - Medium - May 17, 2022

A remote authenticated stored cross-site scripting (xss) vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability.

CVE-2022-23674 is exploitable with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.3 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

XSS

needrestart 0.8 through 3.5 before 3.6 is prone to local privilege escalation

CVE-2022-30688 7.8 - High - May 17, 2022

needrestart 0.8 through 3.5 before 3.6 is prone to local privilege escalation. Regexes to detect the Perl, Python, and Ruby interpreters are not anchored, allowing a local user to escalate privileges when needrestart tries to detect if interpreters are using old source files.

CVE-2022-30688 is exploitable with local system access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 1.8 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.

Improper Privilege Management

A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below

CVE-2022-23673 7.2 - High - May 17, 2022

A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability.

CVE-2022-23673 can be exploited with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 1.2 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.

Command Injection

A remote authenticated stored cross-site scripting (xss) vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below

CVE-2022-23675 4.8 - Medium - May 17, 2022

A remote authenticated stored cross-site scripting (xss) vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability.

CVE-2022-23675 can be exploited with network access, requires user interaction and user privileges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 1.7 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

XSS

A remote authorization bypass vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below

CVE-2022-23669 8.8 - High - May 17, 2022

A remote authorization bypass vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability.

CVE-2022-23669 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.

Insufficient Session Expiration

A remote authenticated information disclosure vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below

CVE-2022-23671 7.5 - High - May 17, 2022

A remote authenticated information disclosure vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability.

CVE-2022-23671 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Information Disclosure

A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below

CVE-2022-23672 7.2 - High - May 17, 2022

A authenticated remote command injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability.

CVE-2022-23672 is exploitable with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 1.2 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.

Command Injection

IBM Security Identity Governance and Intelligence 5.2.6 could disclose sensitive information in URL parameters

CVE-2020-4957 5.3 - Medium - May 17, 2022

IBM Security Identity Governance and Intelligence 5.2.6 could disclose sensitive information in URL parameters that could aid in future attacks against the system. IBM X-Force ID: 192208.

CVE-2020-4957 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.

Exposure of Resource to Wrong Sphere

A missing permission check in Jenkins SSH Plugin 2.6.1 and earlier

CVE-2022-30959 6.5 - Medium - May 17, 2022

A missing permission check in Jenkins SSH Plugin 2.6.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2022-30959 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

AuthZ

A cross-site request forgery (CSRF) vulnerability in Jenkins Storable Configs Plugin 1.0 and earlier

CVE-2022-30972 8.8 - High - May 17, 2022

A cross-site request forgery (CSRF) vulnerability in Jenkins Storable Configs Plugin 1.0 and earlier allows attackers to have Jenkins parse a local XML file (e.g., archived artifacts) that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

CVE-2022-30972 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.

Session Riding

Jenkins Application Detector Plugin 1.0.8 and earlier does not escape the name of Chois Application Version parameters on views displaying parameters

CVE-2022-30960 5.4 - Medium - May 17, 2022

Jenkins Application Detector Plugin 1.0.8 and earlier does not escape the name of Chois Application Version parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-30960 is exploitable with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.3 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

XSS

Jenkins JDK Parameter Plugin 1.0 and earlier does not escape the name and description of JDK parameters on views displaying parameters

CVE-2022-30963 5.4 - Medium - May 17, 2022

Jenkins JDK Parameter Plugin 1.0 and earlier does not escape the name and description of JDK parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-30963 can be exploited with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.3 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

XSS

Jenkins Multiselect parameter Plugin 1.3 and earlier does not escape the name and description of Multiselect parameters on views displaying parameters

CVE-2022-30964 5.4 - Medium - May 17, 2022

Jenkins Multiselect parameter Plugin 1.3 and earlier does not escape the name and description of Multiselect parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-30964 is exploitable with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.3 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

XSS

Jenkins Autocomplete Parameter Plugin 1.1 and earlier references Dropdown Autocomplete parameter and Auto Complete String parameter names in an unsafe manner

CVE-2022-30970 5.4 - Medium - May 17, 2022

Jenkins Autocomplete Parameter Plugin 1.1 and earlier references Dropdown Autocomplete parameter and Auto Complete String parameter names in an unsafe manner from Javascript embedded in view definitions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-30970 is exploitable with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.3 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

XSS

Jenkins Selection tasks Plugin 1.0 and earlier does not escape the name and description of Script Selection task variable parameters on views displaying parameters

CVE-2022-30967 5.4 - Medium - May 17, 2022

Jenkins Selection tasks Plugin 1.0 and earlier does not escape the name and description of Script Selection task variable parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-30967 can be exploited with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.3 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

XSS

Jenkins Storable Configs Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2022-30971 8.8 - High - May 17, 2022

Jenkins Storable Configs Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2022-30971 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.

XXE

Jenkins vboxwrapper Plugin 1.3 and earlier does not escape the name and description of VBox node parameters on views displaying parameters

CVE-2022-30968 5.4 - Medium - May 17, 2022

Jenkins vboxwrapper Plugin 1.3 and earlier does not escape the name and description of VBox node parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-30968 is exploitable with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.3 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

XSS

Jenkins Autocomplete Parameter Plugin 1.1 and earlier does not escape the name of Dropdown Autocomplete and Auto Complete String parameters on views displaying parameters

CVE-2022-30961 5.4 - Medium - May 17, 2022

Jenkins Autocomplete Parameter Plugin 1.1 and earlier does not escape the name of Dropdown Autocomplete and Auto Complete String parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-30961 can be exploited with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.3 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

XSS

Jenkins Promoted Builds (Simple) Plugin 1.9 and earlier does not escape the name and description of Promotion Level parameters on views displaying parameters

CVE-2022-30965 5.4 - Medium - May 17, 2022

Jenkins Promoted Builds (Simple) Plugin 1.9 and earlier does not escape the name and description of Promotion Level parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-30965 can be exploited with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.3 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

XSS

A cross-site request forgery (CSRF) vulnerability in Jenkins SSH Plugin 2.6.1 and earlier

CVE-2022-30958 8.8 - High - May 17, 2022

A cross-site request forgery (CSRF) vulnerability in Jenkins SSH Plugin 2.6.1 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2022-30958 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.

Session Riding

Jenkins Random String Parameter Plugin 1.0 and earlier does not escape the name and description of Random String parameters on views displaying parameters

CVE-2022-30966 5.4 - Medium - May 17, 2022

Jenkins Random String Parameter Plugin 1.0 and earlier does not escape the name and description of Random String parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-30966 is exploitable with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.3 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

XSS

A cross-site request forgery (CSRF) vulnerability in Jenkins Autocomplete Parameter Plugin 1.1 and earlier

CVE-2022-30969 8.8 - High - May 17, 2022

A cross-site request forgery (CSRF) vulnerability in Jenkins Autocomplete Parameter Plugin 1.1 and earlier allows attackers to execute arbitrary code without sandbox protection if the victim is an administrator.

CVE-2022-30969 can be exploited with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.

Session Riding

Jenkins Global Variable String Parameter Plugin 1.2 and earlier does not escape the name and description of Global Variable String parameters on views displaying parameters

CVE-2022-30962 5.4 - Medium - May 17, 2022

Jenkins Global Variable String Parameter Plugin 1.2 and earlier does not escape the name and description of Global Variable String parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-30962 is exploitable with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.3 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

XSS

In Apache ShenYui

CVE-2022-26650 7.5 - High - May 17, 2022

In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3.

CVE-2022-26650 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

AuthZ

An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file

CVE-2022-1586 9.1 - Critical - May 16, 2022

An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file. This involves a unicode property matching issue in JIT-compiled regular expressions. The issue occurs because the character was not fully read in case-less matching within JIT.

CVE-2022-1586 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and a high impact on availability.

Out-of-bounds Read

A remote authenticated information disclosure vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below

CVE-2022-23670 6.5 - Medium - May 16, 2022

A remote authenticated information disclosure vulnerability was discovered in Aruba ClearPass Policy Manager version(s): 6.10.4 and below, 6.9.9 and below, 6.8.9-HF2 and below, 6.7.x and below. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability.

CVE-2022-23670 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD), Icons by Icons8. Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.