Vulnerability Analysis
In-depth guides and analysis on vulnerability analysis from the Safeguard engineering team.
568 articles
CVE-2015-6420: Deserialization vulnerability via Apache C...
How a vulnerable Apache Commons Collections library let attackers achieve remote code execution via Java deserialization gadget chains, and what CVE-2015-6420 still teaches about supply chain risk.
CVE-2019-12384: Polymorphic deserialization gadget in Jac...
CVE-2019-12384 is a Jackson-databind polymorphic deserialization gadget flaw via Ehcache's transaction manager class, patched in 2.9.9.1.
CVE-2019-12814: Jackson-databind polymorphic type gadget ...
A look at CVE-2019-12814, a jackson-databind polymorphic typing gadget tied to JAXB classes, its risk profile, and how to remediate it in modern Java stacks.
CVE-2019-14379: Jackson-databind deserialization via jdk....
CVE-2019-14379 lets attackers abuse jackson-databind's polymorphic deserialization via a JDK Nashorn gadget class. Here's the risk, fix, and detection guidance.
CVE-2019-14540: Jackson-databind blacklist bypass via c3p...
CVE-2019-14540 lets attackers bypass jackson-databind's deserialization blacklist via c3p0 classes to achieve RCE. Here's what's affected, the timeline, and how to remediate.
CVE-2019-16335: Jackson-databind gadget via jackson-dataf...
CVE-2019-16335 is a jackson-databind polymorphic deserialization flaw tied to jackson-dataformat-cbor, fixed in 2.9.10. Here's the impact, timeline, and fix.
CVE-2020-1938 (Ghostcat): File inclusion via Apache Tomca...
Ghostcat (CVE-2020-1938) let attackers read files—and often achieve RCE—via Tomcat's default, unauthenticated AJP connector. Here's the risk, fix, and KEV context.
CVE-2021-33037: HTTP request smuggling in Apache Tomcat
CVE-2021-33037 let malformed HTTP trailers desync Apache Tomcat from front-end proxies, enabling request smuggling. Here's what's affected and how to remediate.
CVE-2019-0232: Remote code execution in Apache Tomcat CGI...
CVE-2019-0232 lets attackers execute arbitrary commands on Windows-hosted Apache Tomcat via the CGI Servlet. Here's the CVSS 9.8 detail, affected versions, and fixes.
CVE-2020-9484: Deserialization RCE via Apache Tomcat Pers...
A deep dive into CVE-2020-9484, the Apache Tomcat PersistenceManager deserialization RCE — affected versions, CVSS/EPSS context, and remediation steps.
CVE-2021-25122: Request mix-up via Apache Tomcat h2c support
CVE-2021-25122 let Apache Tomcat mix up HTTP responses between concurrent users via the h2c upgrade path. Here's the impact, affected versions, and how to remediate.
CVE-2021-25329: Incomplete fix of Tomcat PersistenceManag...
CVE-2021-25329 shows how Tomcat's PersistenceManager deserialization fix (CVE-2020-9484) was incomplete, still risking RCE in edge-case configs.