Every CVE whose affected-product data names Jetbrains Ktor, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (21)
CVE-2019-12736 — CVSS 9.8 (critical): JetBrains Ktor framework before 1.2.0-rc does not sanitize the username provided by the user for the LDAP protocol, leading to command…
CVE-2022-29930 — CVSS 8.7 (high): SHA1 implementation in JetBrains Ktor Native 2.0.0 was returning the same value. The issue was fixed in Ktor version 2.0.1.
CVE-2023-45612 — CVSS 8.6 (high): In JetBrains Ktor before 2.3.5 default configuration of ContentNegotiation with XML format was vulnerable to XXE
CVE-2019-10102 — CVSS 8.1 (high): JetBrains Ktor framework (created using the Kotlin IDE template) versions before 1.1.0 were resolving artifacts using an http connection…
CVE-2021-43203 — CVSS 7.5 (high): In JetBrains Ktor before 1.6.4, nonce verification during the OAuth2 authentication process is implemented improperly.
CVE-2019-19703 — CVSS 6.1 (medium): In Ktor through 1.2.6, the client resends data from the HTTP Authorization header to a redirect location.
CVE-2020-5207 — CVSS 5.4 (medium): In Ktor before 1.3.0, request smuggling is possible when running behind a proxy that doesn't handle Content-Length and Transfer-Encoding…
CVE-2019-12737 — CVSS 5.3 (medium): UserHashedTableAuth in JetBrains Ktor framework before 1.2.0-rc uses a One-Way Hash with a Predictable Salt for storing user credentials.
CVE-2023-34339 — CVSS 3.3 (low): In JetBrains Ktor before 2.3.1 headers containing authentication data could be added to the exception's message
CVE-2022-29035 — CVSS 3.3 (low): In JetBrains Ktor Native before version 2.0.0 random values used for nonce generation weren't using SecureRandom implementations