Safeguard
Tag

supply-chain-security

Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

1045 articles

Vulnerability Analysis

CVE-2022-0235: node-fetch forwards sensitive headers on r...

CVE-2022-0235: node-fetch forwarded cookie and authorization headers across cross-origin redirects. Affected versions, exploitability context, and remediation steps.

Oct 13, 20258 min read
Vulnerability Analysis

CVE-2022-0155: follow-redirects leaks Proxy-Authorization...

CVE-2022-0155: follow-redirects leaked Proxy-Authorization headers across hosts on redirect, exposing proxy credentials via axios and other widely used npm HTTP clients.

Oct 13, 20258 min read
Vulnerability Analysis

CVE-2022-0536: follow-redirects leaks Authorization heade...

CVE-2022-0536 let follow-redirects forward Authorization headers to third-party hosts on cross-domain redirects, exposing tokens and credentials.

Oct 12, 20258 min read
Vulnerability Analysis

CVE-2022-25883: ReDoS in semver package

CVE-2022-25883 is a ReDoS flaw in the widely used semver npm package. Here's what versions are affected, its severity, and how to remediate it.

Oct 12, 20257 min read
Vulnerability Analysis

CVE-2021-23364: ReDoS in browserslist

A regex denial of service in browserslist (CVE-2021-23364) could stall Node.js builds via crafted version strings. Here's the fix and how Safeguard catches it.

Oct 11, 20257 min read
Vulnerability Analysis

CVE-2023-32314: Sandbox escape in vm2

CVE-2023-32314 let attackers escape the vm2 Node.js sandbox for remote code execution. Here's the CVSS 10.0 flaw, affected versions, timeline, and fixes.

Oct 10, 20258 min read
Vulnerability Analysis

CVE-2023-30547: Sandbox escape via Node custom inspect in...

CVE-2023-30547 lets attackers escape the vm2 Node.js sandbox via a crafted custom inspect method, achieving host code execution. Here's the impact, timeline, and fix.

Oct 10, 20258 min read
Vulnerability Analysis

CVE-2022-3517: ReDoS in minimatch pattern matching

CVE-2022-3517 is a high-severity ReDoS flaw in minimatch's glob-to-regex conversion, impacting a huge share of the npm ecosystem's dependency graph.

Oct 9, 20257 min read
Vulnerability Analysis

CVE-2021-43138: Code injection risk in async npm package

A prototype-pollution flaw in async's iterator functions (CVE-2021-43138) could escalate to code injection. Affected versions, severity, timeline, and remediation steps inside.

Oct 9, 20258 min read
Vulnerability Analysis

CVE-2018-14574: Open redirect in Django CommonMiddleware

CVE-2018-14574 let attackers abuse Django CommonMiddleware's APPEND_SLASH redirect to send users to external, attacker-controlled domains.

Oct 9, 20257 min read
Vulnerability Analysis

CVE-2020-9402: SQL injection via Django GIS functions

CVE-2020-9402 let attackers inject SQL through GeoDjango's tolerance parameter on Oracle backends. Here's what's affected, severity context, and how to remediate.

Oct 8, 20259 min read
Vulnerability Analysis

CVE-2018-18074: requests library leaks Authorization head...

The Python requests library leaked Authorization headers on same-host HTTPS-to-HTTP redirects, exposing credentials to sniffing before v2.20.0.

Oct 7, 20258 min read
supply-chain-security (Page 73) — Safeguard Blog