supply-chain-security
Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
1052 articles
IPython crafted directory code execution (CVE-2022-21699)
CVE-2022-21699 lets attackers plant crafted profile files in shared directories, triggering silent code execution when victims launch IPython or Jupyter sessions.
Python urllib.parse NFKC normalization blocklist bypass (CVE-2023-24329)
CVE-2023-24329 let attackers bypass URL blocklists via leading blank characters in Python's urllib.parse, enabling SSRF and filter evasion.
Python tarfile extraction path traversal, the 15-year-old flaw (CVE-2007-4559)
CVE-2007-4559, a path traversal flaw in Python's tarfile module, still lurks in hundreds of thousands of repos. Here's the impact, timeline, and fix.
ctx and colourama PyPI typosquat malware incident
The ctx and colourama PyPI typosquatting malware incident shows how account takeover and name-squatting delivered credential-stealing code to devs.
Python email module address-parsing confusion (CVE-2023-27043)
CVE-2023-27043 shows how a Python email-parsing quirk lets attackers spoof trusted domains and bypass allowlist-based access controls silently.
Kubernetes Python client aggregated API vulnerability (CVE-2022-3172)
CVE-2022-3172 lets a rogue aggregated API backend redirect authenticated Kubernetes API traffic, exposing Python client apps to credential theft.
Django str.format denial of service (CVE-2023-41164)
CVE-2023-41164 lets attackers DoS Django apps via a str.format() flaw in uri_to_iri(). Here's what's affected, severity context, and how to fix it.
Django QuerySet.explain SQL injection (CVE-2022-28346)
A Django ORM flaw let unvalidated input reach EXPLAIN and annotate() SQL generation. Here's the CVE-2022-28347 impact, fix, and defense playbook.
Jinja2 sandbox escape (CVE-2022-29361)
CVE-2022-29361 lets attackers bypass Jinja2's SandboxedEnvironment via str.format, reaching unsafe attributes and risking RCE in untrusted-template apps.
Jinja2 xmlattr filter XSS (CVE-2024-22195)
CVE-2024-22195 lets attacker-controlled dict keys bypass Jinja2's xmlattr escaping for XSS. Learn affected versions, CVSS/EPSS context, and fixes.
Jackson-databind polymorphic deserialization RCE (CVE-2017-15095)
A critical jackson-databind deserialization vulnerability (CVE-2017-15095) lets unauthenticated attackers achieve RCE via HikariCP gadget classes.
FCC and CISA guidance on telecom software supply chain se...
FCC telecom software supply chain guidance now overlaps with the Covered List and CISA telecom advisories. Here's what carriers must actually track.