LiveActive security incident?Get immediate response
CVE archive

December 2024

Browse CVE records published in December 2024, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 3123 matching CVEs · Page 1 of 63.

High · CVSS 7.5

CVE-2024-3884: Undertow: outofmemory when parsing form data encoding with application/x-www-form-urlencoded

A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParse(StreamSourceChannel) method to parse large form data encoding with application/x-www-form-urlencoded, the method will cause an OutOfMemory issue. This flaw allows unauthorized users to cause a remote denial of service (DoS) attack.

Published Dec 3, 2025 · Updated Jul 7, 2026

Medium · CVSS 4.4

CVE-2024-12401: Cert-manager: potential dos when parsing specially crafted pem inputs

A flaw was found in the cert-manager package. This flaw allows an attacker who can modify PEM data that the cert-manager reads, for example, in a Secret resource, to use large amounts of CPU in the cert-manager controller pod to effectively create a denial-of-service (DoS) vector for the cert-manager in the cluster.

Published Dec 12, 2024 · Updated Jun 26, 2026

High · CVSS 7.6

CVE-2024-45497: Openshift-api: openshift-controller-manager/build: build process in openshift allows overwriting of node pull credentials

A flaw was found in the OpenShift build process, where the docker-build container is configured with a hostPath volume mount that maps the node's /var/lib/kubelet/config.json file into the build pod. This file contains sensitive credentials necessary for pulling images from private repositories. The mount is not read-only, which allows the attacker to overwrite it. By modifying the config.json file, the attacker can cause a denial of service by preventing the node from pulling new images and potentially exfiltrating sensitive secrets. This flaw impacts the availability of services dependent on image pulls and exposes sensitive information to unauthorized parties.

Published Dec 31, 2024 · Updated Jun 26, 2026

High · CVSS 7.1

CVE-2024-12582: Skupper: skupper-cli: flawed authentication method may lead to arbitrary file read or denial of service

A flaw was found in the skupper console, a read-only interface that renders cluster network, traffic details, and metrics for a network application that a user sets up across a hybrid multi-cloud environment. When the default authentication method is used, a random password is generated for the "admin" user and is persisted in either a Kubernetes secret or a podman volume in a plaintext file. This authentication method can be manipulated by an attacker, leading to the reading of any user-readable file in the container filesystem, directly impacting data confidentiality. Additionally, the attacker may induce skupper to read extremely large files into memory, resulting in resource exhaustion and a denial of service attack.

Published Dec 24, 2024 · Updated Jun 18, 2026

Critical · CVSS 9.8

CVE-2024-55875: http4k has a potential XXE (XML External Entity Injection) vulnerability

http4k is a functional toolkit for Kotlin HTTP applications. Prior to version 6.50.0.0, there is a potential XXE (XML External Entity Injection) vulnerability when http4k handling malicious XML contents within requests, which might allow attackers to read local sensitive information on server, trigger Server-side Request Forgery and even execute code under some circumstances. The original fix shipped in v5.41.0.0 / v4.50.0.0 closed the documented external-entity attack class (SSRF, local-file disclosure, code execution) by setting `ACCESS_EXTERNAL_DTD=""`, `ACCESS_EXTERNAL_SCHEMA=""`, and `isExpandEntityReferences=false` on the default `DocumentBuilderFactory`. A residual gap remained: the parser still accepted documents containing `<!DOCTYPE>` declarations even though external entity resolution was blocked. This left open billion-laughs-style internal entity expansion DoS attacks against any application using `Body.xml()` or `Document.asXmlDocument()` on untrusted XML. v6.50.0.0 closes this residual by adding `disallow-doctype-decl=true` and `FEATURE_SECURE_PROCESSING=true` to `defaultXmlParsingConfig`. Any document containing a `<!DOCTYPE>` is now rejected at parse time.

Published Dec 12, 2024 · Updated Jun 9, 2026

Medium · CVSS 5.3

CVE-2024-7488: Business Logic Error in RestApp Inc.'s Online Ordering System

Integer Overflow or Wraparound, Improper Validation of Specified Quantity in Input vulnerability in RestApp Inc. Online Ordering System allows Integer Attacks. This issue affects Online Ordering System: 8.2.1. NOTE: Vulnerability fixed in version 8.2.2 and does not exist before 8.2.1.

Published Dec 4, 2024 · Updated Jun 3, 2026

Critical · CVSS 9.8

CVE-2024-8259: Unauthenticated SQLi in Eryaz IT's NatraCar B2B Dealer Management Program

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Eryaz Information Technologies NatraCar B2B Dealer Management Program allows SQL Injection. This issue affects NatraCar B2B Dealer Management Program: through 09.12.2024. NOTE: The vendor was contacted and it was learned that the product is not supported.

Published Dec 9, 2024 · Updated Jun 2, 2026

Critical · CVSS 9.9

CVE-2024-8950: SQLi in Arne Informatics' Piramit Automation

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Arne Informatics Piramit Automation allows Blind SQL Injection. This issue affects Piramit Automation: before 27.09.2024.

Published Dec 25, 2024 · Updated Jun 2, 2026

Critical · CVSS 9.8

CVE-2024-8972: SQLi in Mobil365 Informatics' Saha365 App

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mobil365 Informatics Saha365 App allows SQL Injection. This issue affects Saha365 App: before 30.09.2024.

Published Dec 17, 2024 · Updated Jun 2, 2026

Medium · CVSS 6.5

CVE-2024-9819: IDOR in NextGEO's NG Analyser

Authorization Bypass Through User-Controlled Key vulnerability in NextGeography NG Analyser allows Functionality Misuse. This issue affects NG Analyser: before 2.2.711.

Published Dec 17, 2024 · Updated Jun 2, 2026