Vulnerability Analysis
In-depth guides and analysis on vulnerability analysis from the Safeguard engineering team.
568 articles
curl SOCKS5 Heap Overflow (CVE-2023-38545) Explained: When a Long Hostname Broke the Handshake
CVE-2023-38545 is a heap buffer overflow in curl and libcurl's SOCKS5 proxy handshake, triggered when a too-long hostname is copied into a fixed buffer during a slow handshake. Here is the bug.
Ghostscript (CVE-2023-36664) Explained: Command Injection via Pipe Devices
CVE-2023-36664 let a crafted PostScript or EPS file run system commands through Ghostscript's mishandling of pipe device filenames. Because Ghostscript hides behind image tools, the blast radius was wide.
Ivanti Connect Secure CVE-2024-21887 Explained: Command Injection in a Two-Bug Chain
CVE-2024-21887 is a command injection in Ivanti Connect Secure that, chained with the auth bypass CVE-2023-46805, gave attackers unauthenticated RCE. Here is the timeline, root cause, and patched versions.
PHP-CGI Argument Injection RCE on Windows (CVE-2024-4577) Explained
CVE-2024-4577 revived a decade-old PHP-CGI flaw through a Windows Unicode 'best-fit' quirk, yielding unauthenticated RCE. Here's the mechanism and the patched versions.
Terrapin Attack (CVE-2023-48795) Explained: SSH's Prefix Truncation Flaw
CVE-2023-48795, the Terrapin attack, is a protocol-level flaw letting a MITM silently truncate the start of an SSH session. Here is how it works, what it downgrades, and how to fix it.
Barracuda ESG CVE-2023-2868 Explained: The Command Injection That Ended in Hardware Replacement
CVE-2023-2868 is a command injection in the Barracuda Email Security Gateway, exploited as a zero-day by UNC4841 for months. Rated CVSS 9.8, it ended with Barracuda advising physical appliance replacement.
Confluence Broken Access Control Zero-Day (CVE-2023-22515) Explained
CVE-2023-22515 let unauthenticated attackers create rogue administrator accounts on Confluence Data Center and Server. Here's the broken-access-control flaw and how to fix it.
OpenSSL Punycode Overflow (CVE-2022-3602) Explained
CVE-2022-3602 was pre-announced as OpenSSL's next critical bug, then downgraded to high. Here is what the X.509 punycode buffer overflow actually does, why the panic cooled, and how to patch.
regreSSHion (CVE-2024-6387) Explained: A Signal-Handler Race That Reopened an Old OpenSSH RCE
CVE-2024-6387, regreSSHion, is an unauthenticated remote code execution flaw in OpenSSH's sshd caused by a signal-handler race — a regression of a bug fixed back in 2006.
Text4Shell (CVE-2022-42889) Explained: RCE in Apache Commons Text Interpolation
CVE-2022-42889, Text4Shell, let attackers run code through Apache Commons Text's string interpolation when apps passed untrusted input to StringSubstitutor. Here is the flaw and why it was narrower than feared.
Citrix Bleed (CVE-2023-4966) Explained: Leaking Session Tokens Straight Past MFA
CVE-2023-4966, Citrix Bleed, let unauthenticated attackers read memory from NetScaler appliances and steal valid session tokens — hijacking sessions and bypassing multi-factor authentication.
Dirty Pipe (CVE-2022-0847) Explained: Overwriting Read-Only Files in the Linux Kernel
CVE-2022-0847, Dirty Pipe, let unprivileged users overwrite data in read-only files through an uninitialized pipe flag — a clean path to root. Here is the page-cache mechanism behind it.