Safeguard
Tag

software-supply-chain

Safeguard articles tagged "software-supply-chain" — guides, analysis, and best practices for software supply chain and application security.

526 articles

Vulnerability Analysis

CVE-2021-33503: ReDoS in urllib3 URL authority parsing

CVE-2021-33503 exposes urllib3 before 1.26.5 to a ReDoS in URL authority parsing, letting attacker URLs exhaust CPU. What to patch and why.

Oct 7, 20257 min read
Vulnerability Analysis

CVE-2020-14343: PyYAML arbitrary code execution via pytho...

CVE-2020-14343 lets attackers run arbitrary code via PyYAML's python/object/new tag, bypassing an earlier FullLoader fix. Versions, CVSS, and remediation inside.

Oct 6, 20257 min read
Application Security

CVE-2021-25288: Buffer overflow in Pillow FLI decoder

CVE-2021-25288 is a buffer overflow in Pillow's FLI decoder, fixed in Pillow 8.1.0. Here's what's affected, the risk profile, and how to remediate.

Oct 5, 20258 min read
Vulnerability Analysis

CVE-2020-35655: Decompression bomb DoS in Pillow

A crafted image file could force Pillow to over-allocate memory, causing denial of service. Here's what CVE-2020-35655 affects, its severity, and how to remediate it.

Oct 5, 20257 min read
Vulnerability Analysis

CVE-2023-50447: Arbitrary code execution via Pillow Image...

A patch bypass in Pillow's ImageMath.eval() reopens arbitrary code execution first flagged in CVE-2022-22817. Here's what changed and how to remediate it.

Oct 4, 20258 min read
Vulnerability Analysis

CVE-2019-1010083: Denial of service in Flask via large mu...

CVE-2019-1010083 let attackers crash Flask apps with crafted multipart requests. Here's the impact, affected versions, and how to remediate the DoS flaw.

Oct 3, 20257 min read
Vulnerability Analysis

CVE-2020-27783: Cross-site scripting bypass in lxml html ...

CVE-2020-27783 lets attackers bypass lxml's html.clean.Cleaner sanitizer to smuggle XSS past HTML cleaning. Here's what's affected and how to remediate it.

Oct 2, 20257 min read
Vulnerability Analysis

CVE-2018-11776: Remote code execution in Apache Struts2 v...

CVE-2018-11776 lets attackers achieve unauthenticated RCE in Apache Struts2 via crafted namespace/OGNL injection. Affected versions, timeline, and fixes.

Oct 1, 20257 min read
Vulnerability Analysis

CVE-2015-6420: Deserialization vulnerability via Apache C...

How a vulnerable Apache Commons Collections library let attackers achieve remote code execution via Java deserialization gadget chains, and what CVE-2015-6420 still teaches about supply chain risk.

Sep 30, 20258 min read
Vulnerability Analysis

CVE-2019-12384: Polymorphic deserialization gadget in Jac...

CVE-2019-12384 is a Jackson-databind polymorphic deserialization gadget flaw via Ehcache's transaction manager class, patched in 2.9.9.1.

Sep 30, 20257 min read
Vulnerability Analysis

CVE-2021-33037: HTTP request smuggling in Apache Tomcat

CVE-2021-33037 let malformed HTTP trailers desync Apache Tomcat from front-end proxies, enabling request smuggling. Here's what's affected and how to remediate.

Sep 24, 20257 min read
Vulnerability Analysis

CVE-2020-9484: Deserialization RCE via Apache Tomcat Pers...

A deep dive into CVE-2020-9484, the Apache Tomcat PersistenceManager deserialization RCE — affected versions, CVSS/EPSS context, and remediation steps.

Sep 23, 20257 min read
software-supply-chain (Page 33) — Safeguard Blog