Safeguard
Tag

supply-chain-security

Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

1052 articles

Vulnerability Analysis

IPython crafted directory code execution (CVE-2022-21699)

CVE-2022-21699 lets attackers plant crafted profile files in shared directories, triggering silent code execution when victims launch IPython or Jupyter sessions.

Dec 30, 20258 min read
Vulnerability Analysis

Python urllib.parse NFKC normalization blocklist bypass (CVE-2023-24329)

CVE-2023-24329 let attackers bypass URL blocklists via leading blank characters in Python's urllib.parse, enabling SSRF and filter evasion.

Dec 29, 20257 min read
Vulnerability Analysis

Python tarfile extraction path traversal, the 15-year-old flaw (CVE-2007-4559)

CVE-2007-4559, a path traversal flaw in Python's tarfile module, still lurks in hundreds of thousands of repos. Here's the impact, timeline, and fix.

Dec 29, 20258 min read
Incident Analysis

ctx and colourama PyPI typosquat malware incident

The ctx and colourama PyPI typosquatting malware incident shows how account takeover and name-squatting delivered credential-stealing code to devs.

Dec 29, 20257 min read
Vulnerability Analysis

Python email module address-parsing confusion (CVE-2023-27043)

CVE-2023-27043 shows how a Python email-parsing quirk lets attackers spoof trusted domains and bypass allowlist-based access controls silently.

Dec 28, 20259 min read
Vulnerability Analysis

Kubernetes Python client aggregated API vulnerability (CVE-2022-3172)

CVE-2022-3172 lets a rogue aggregated API backend redirect authenticated Kubernetes API traffic, exposing Python client apps to credential theft.

Dec 28, 20257 min read
Vulnerability Analysis

Django str.format denial of service (CVE-2023-41164)

CVE-2023-41164 lets attackers DoS Django apps via a str.format() flaw in uri_to_iri(). Here's what's affected, severity context, and how to fix it.

Dec 28, 20256 min read
Vulnerability Analysis

Django QuerySet.explain SQL injection (CVE-2022-28346)

A Django ORM flaw let unvalidated input reach EXPLAIN and annotate() SQL generation. Here's the CVE-2022-28347 impact, fix, and defense playbook.

Dec 27, 20257 min read
Vulnerability Analysis

Jinja2 sandbox escape (CVE-2022-29361)

CVE-2022-29361 lets attackers bypass Jinja2's SandboxedEnvironment via str.format, reaching unsafe attributes and risking RCE in untrusted-template apps.

Dec 26, 20257 min read
Vulnerability Analysis

Jinja2 xmlattr filter XSS (CVE-2024-22195)

CVE-2024-22195 lets attacker-controlled dict keys bypass Jinja2's xmlattr escaping for XSS. Learn affected versions, CVSS/EPSS context, and fixes.

Dec 26, 20257 min read
Vulnerability Analysis

Jackson-databind polymorphic deserialization RCE (CVE-2017-15095)

A critical jackson-databind deserialization vulnerability (CVE-2017-15095) lets unauthenticated attackers achieve RCE via HikariCP gadget classes.

Dec 25, 20257 min read
Regulatory Compliance

FCC and CISA guidance on telecom software supply chain se...

FCC telecom software supply chain guidance now overlaps with the Covered List and CISA telecom advisories. Here's what carriers must actually track.

Dec 25, 20257 min read
supply-chain-security (Page 56) — Safeguard Blog