Vulnerability Analysis
In-depth guides and analysis on vulnerability analysis from the Safeguard engineering team.
568 articles
BuildKit Privileged Entitlement Check Bypass Enabling Hos...
CVE-2024-23653 lets malicious Dockerfiles bypass BuildKit's privileged entitlement check via the interactive containers API, escaping to the host.
BuildKit Build-Time Container Teardown Arbitrary File Del...
A malicious Dockerfile can exploit CVE-2024-23652 to make BuildKit delete arbitrary host files during build teardown. Here's what's affected and how to fix it.
BuildKit Mount Cache Race Condition Vulnerability (CVE-20...
CVE-2024-23651 is a high-severity BuildKit race condition that can expose host files to build containers via shared cache mounts. Here's the full breakdown.
CVE-2024-21626: runc process.cwd Container Breakout Deep ...
A technical breakdown of CVE-2024-21626, the runc process.cwd() flaw enabling container breakout to host access, with detection and remediation guidance.
Log4Shell (CVE-2021-44228) Deep Dive: JNDI Injection in L...
Log4Shell (CVE-2021-44228) let attackers achieve remote code execution via a single logged string. A deep dive into the JNDI flaw, its impact, and remediation.
Spring4Shell (CVE-2022-22965) Deep Dive: RCE via Data Bin...
A technical breakdown of Spring4Shell (CVE-2022-22965): the data-binding RCE, affected Spring/Tomcat configurations, severity, timeline, and how to remediate and detect exposure.
CVE-2018-16487: Prototype pollution in lodash via merge/m...
CVE-2018-16487 let attackers pollute Object.prototype through lodash's merge, mergeWith, and defaultsDeep — a bypass of an earlier fix, patched in 4.17.11.
CVE-2020-8203: Prototype pollution in lodash zipObjectDeep
CVE-2020-8203 lets attackers pollute JavaScript's Object prototype via lodash's zipObjectDeep function, risking DoS or RCE in downstream apps.
CVE-2021-23337: Command injection in lodash template func...
CVE-2021-23337 enables command injection via lodash's template function in versions before 4.17.21. Here's the CVSS context, timeline, and how to remediate it.
CVE-2021-44906: Prototype pollution in minimist
CVE-2021-44906 exposed a prototype pollution flaw in minimist versions before 1.2.6, letting attackers pollute Object.prototype via crafted parser keys.
CVE-2017-16137: ReDoS in debug package
CVE-2017-16137 is a ReDoS flaw in the debug npm package that can hang Node.js apps on crafted input. Here's what's affected and how to fix it.
CVE-2018-3728: Prototype pollution in hoek
CVE-2018-3728 is a prototype pollution flaw in Hoek's merge functions, exposing hapi.js and Joi-based apps to __proto__ injection. Here's the impact, fix, and remediation path.